May 11, 2006 9:28 AM PDT

Bill puts cops first in data leak notification

WASHINGTON--A new proposal in Congress would force anyone who possesses electronic personal data to report "major" security breaches to federal authorities before alerting consumers--or face hefty fines and even imprisonment.

The 11-page House of Representatives bill aims to deter identity thieves and dismantle cybercrime operations, such as phishing scams, that swipe personal information. It was introduced this week by House Judiciary Committee Chairman James Sensenbrenner and backed by three Republicans and one Democrat.

The Republican-backed bill would require "whoever owns or possesses data in electronic form" that contains personally identifiable information--such as a person's name, Social Security number or date of birth--to inform the U.S. Secret Service or the FBI within two weeks of discovering a "major breach."

Those law enforcement agencies could then decide to delay notification to consumers by as much as 30 days, if they determine that disclosure would harm criminal investigations or national security.

The bill defines "major breach" as any incident that involves the personal information of 10,000 or more individuals, databases owned by the federal government or personal data about federal employees or contractors involved in "national security matters or law enforcement."

Refusing to comply with the rules could result in up to five years in prison or fines of $50,000 for each day that the intrusion is not reported--an idea endorsed by the Justice Department.

Because of inadequate enforcement tools, "the scope and frequency of cybercrime is growing rapidly and now includes many intentional criminal syndicates and is threatening our economy, safety and prosperity," said Rep. Howard Coble, the North Carolina Republican who presided over Thursday's hearing.

This measure, called the Cybersecurity Enhancement and Consumer Data Protection Act, is part of a constellation of proposals in Congress that seek to respond to a slew of high-profile data breaches that became public during the last year or two. Proposed solutions range from consumer notification of data breaches to restriction of some uses of Social Security numbers.

Balking at penalties
Critics have raised the question of whether criminal penalties are appropriate. In a letter to Coble, Ken Wasch, president of the Software & Information Industry Association, questioned whether the establishment of a new crime for failure to notify when a breach has occurred is "an appropriate response to combating the pernicious effects of identity theft." Such an approach inappropriately places the burden on companies and individuals hoping to safeguard data, not on the criminals looking to exploit it, Wasch said.

The bill differs from data security proposals pending in other House committees in that it does not specifically require consumers to be notified directly of breaches.

Susanna Montezemolo, a policy analyst for the Consumers Union, urged politicians to "tread carefully" on the latest proposal. The legislation does not address some of the broader consumer protection issues, such as requiring direct notification to consumers whose data has been compromised and letting them review and update their personal information periodically for accuracy, she said.

Those omissions also prompted a lukewarm response to the bill from Rep. Robert "Bobby" Scott, the senior Virginia Democrat on the Judiciary panel. "Some tweaking of bill is desirable to clarify intent and application of some of its provisions," he said.

Other data security bills already approved by House committees do contain more consumer-oriented requirements, and the Judiciary Committee's version appears likely to be combined with one or more of those proposals.

But some of those other bills, particularly one voted out of the House Financial Services Committee in March, have also encountered criticism from consumer groups. They've said they're concerned that bill's approval would water down identity theft protection by trumping arguably stronger laws already passed at the state level, particularly California.

The Judiciary proposal focuses more on the law enforcement angle of cybercrime. In addition to the notification requirements, it would also expand the legal definition of current computer fraud laws to penalize those who unlawfully obtain personally identifiable information.

It also attempts to outlaw illicit use of "botnets," defined in the bill as "the capability to gain access to or remotely control without authorization" computers belonging to financial institutions or involved in commerce.

For offenders of those crimes, the bill proposes beefing up penalties to as many as 30 years in prison--rather than the existing maximum of 10-year to 20-year sentences. That move received the Justice Department's endorsement but drew skepticism from Rep. Dan Lungren, the California Republican who heads a cybersecurity panel in the House Homeland Security committee.

Lungren said he's concerned the bill focuses too heavily on prosecuting crimes that have already been committed and not enough on the consumer side of combating the problem. "What I'm concerned about it the lack of knowledge among consumers of what they can do to protect themselves...and I am one of those consumers," he said.

The House hearing comes one day after President Bush met with identity theft victims at the White House and announced the creation of an identity theft "task force" chaired by the Attorney General and the chairman of the Federal Trade Commission. The FTC also launched its own identity theft education campaign, in which it planned to dispatch videos and literature to "victim advocate" organizations for distribution to the public.

See more CNET content tagged:
data security, proposal, bill, social security number, personal information


Join the conversation!
Add your comment
gov action better late than never
Identity theft has been on the minds of Americans for years now, finally there's been some government action on the matter. Individuals and the media have been looking at ways to protect their personal information <a class="jive-link-external" href="" target="_newWindow"></a> from phishing, keylogging and other malicious means for sometime now.

It's finally time we see some movement on the issue.
Posted by marileev (292 comments )
Reply Link Flag
Shame, shame, Congress!
If the public can be kept in the dark for up to 30 days, that leaves plenty of time for the affected individuals to have their information used by the criminals!
Posted by ddesy (4336 comments )
Reply Link Flag
What should happen, and never will in this country, is instead of having to inform people when personal data is compromised is to make storing people's personal data without permission a crime.

Simply put, most of the security breaches we hear about would not be possible if the companies involved were not allowed to store that data in first place, and faced criminal sanctions if they were found to be in violation.

All of the credit card issues of the last year involved cases where credit card processing companies stored personal data which directly contravened the credit card companies rules regarding credit transactions. Because there is no law that makes following credit card company rules regarding transaction data mandatory, the companies involved had almost zero incentive to obey those rules.

It's the same with companies that store your credit information, and then sell it to whoever asks without your permission. If they faced sever criminal sanctions for storing that data in the first place, it wouldn't have been available for identity thieves to steal.

So it's all well and good having disclosure laws in place, provided they don't do what this one does and trump more powerful state laws that actually have the teeth to do something if a business is in violation, but this should be combined with a data privacy law that forbids the retention of people's personal data without explicit permission. Not checking a box on a form would not constitute permission. Violations should be punishable with mandatory prison sentences for the owners of any business that fails to abide by the law.

This is the only way we can have any sort of meaningful protection, but because it places a burden of proof on business, and prevents other powerful businesses from exploiting your data it'll never happen until people wise up and vote out every congressman or congresswoman currently in office.
Posted by ajbright (447 comments )
Reply Link Flag
This Bill Will Go Nowhere
This ridiculous bill will not even get out of committee, let alone be passed by the full House, not to mention the Senate.

It takes exactly the wrong approach to leaked personal data. It outlaws allowing a company whose data base was broken into and personal information stolen to make the security breach public without first notifying the police who can then delay informing anyone about the breach for as long as thirty days.

The point of public notification is to protect those whose information has been stolen and that requires that the people affected be notified as quickly as possible so they can take steps to protect themselves. Such public notification is mandatory by law in some states, California for example.

Privacy advocates will jump all over this proposal and rightly so because the bill puts the interests of the police ahead of protection for those whose information was stolen. An incredibly bad bill. So bad that, as I say, it will go absolutely nowhere and we can all be thankful for that.
Posted by gmcaloon--2008 (72 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.