September 30, 2005 2:01 PM PDT

Data-security bill may move forward next week

A sweeping U.S. Senate measure that would stiffen security requirements and penalties for so-called brokers of personal data may go up for a committee vote next week, a representative said Friday.

Sen. Arlen Specter, a Pennsylvania Republican, and Sen. Patrick Leahy, a Vermont Democrat, originally introduced the Personal Data Security and Privacy Act in June as part of a legislative outcry directed at a series of breaches by big-name companies such as ChoicePoint, Bank of America and Visa.

A number of related proposals also surfaced during this congressional term, including one approved by the Senate Committee on Commerce, Science & Transportation just before the summer recess that has yet to head to floor debate. And in the Senate Committee on the Judiciary, where Specter is chairman and Leahy is the highest ranking Democrat, action on the matter has been delayed for months because of other business, including the nomination of now-Chief Justice John Roberts to the Supreme Court.

On Wednesday, Specter and Leahy introduced an amended version of their June proposal. The new version omits a section that would have severely restricted the sale and use of social security numbers by businesses and other entities. According to a committee representative, the provision was dropped because another congressional committee has jurisdiction over such regulations.

Leahy said in a floor speech Wednesday that various stakeholders had come together to make the bill better balanced and focused. Certain terms--including "data broker," the initial definition of which prompted questions--appear to be defined more narrowly or in greater detail, though it remains unclear what the practical implications of those changes are.

Tough criminal penalties--including up to five years in prison for concealing security breaches involving sensitive personal information and economic damage to even one person--remain in the offing.

So do minimum security and privacy standards for companies that deal with electronic data records containing "sensitive personally identifiable information," defined in the newer bill as any information that uses an individual's name in combination with certain other elements, including Social Security number, medical history, mother's maiden name, account numbers and biometric data.

The amended bill also folds in notification requirements suggested by Sen. Dianne Feinstein, a California Democrat, who signed on as a co-sponsor of the new version.

Among other things, the bill would require that, on discovering a data breach, any agency or business entity that "uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information" notify any U.S. resident whose data was subject to the intrusion "without unreasonable delay." It also spells out methods of notification and describes situations where delays or exemptions would be permitted.

Feinstein introduced the provisions during the spring in a shorter, narrower measure, known as the Notification of Risk to Personal Data Act. She and Specter said at a business meeting Thursday that they'd pursue the larger bill first but, if they couldn't move it out of committee speedily, that they would attempt to advance Feinstein's shorter proposal.

2 comments

Join the conversation!
Add your comment
More bills are needed to set a global platform.
More bills are needed to set a global platform.

ID theft cannot be stopped by one bill nor can one levee stop a hurricanes flood surge. The ID theft problem is like a natural disaster that requires the co-ordination of all civil sources.

The U.S. is the only G8 nation responding by setting standards but not mandating protection as Germany, Japan, both Chinas and most of the civilized countries are doing. Are we nuts?

Not only did others sign or ratify the Cybercrime Treaty before the U.S. but their citizens and consumers held their politicians hands to the fire. That same treaty the U.S. Senate only put forward two years tardy in July 2005.

However, the rest of the G8, aside from the U.S., mandates two-factor authentication with offline devices to protect their consumers by taking the PIN and ID offline. The U.K. bankers like the U.S. resisted it until the U.K. residents boycotted e-commerce demanding this protection.

So what do we need. We need to know someone in Russia or Nigeria cannot sneak into our accounts while we are asleep and impoverish us with no recorse. We need good technological protection and international coordination to fight this war of the worms that Visa and charge card platforms and all banks reluctantly admitted last week in a conference they are losing.

Maybe the problem here is the U.S. consumers are not as educated or motivated yet about the ID theft and bank rap problem and its solutions like the British are. So as glad as I am to see whatever measures the U.S. does, I as a citizen say more is needed. Lets lead the charge and not be dragged by other nations to cover our own rears.

The ID theft threat in the U.S. is like the last couple of Hurricaines; too little often too late. The consumers and citizens need better protection that just setting standards at the Dept of Commerce and saying you can choose level 4 authentication if you want it.

Tell that to the seniors who lose funds and have no recourse or to the widows and orphans trusts that the crooks steal their cash as their statute of limitations expires so banks say tough luck.

We, meaning the U.S. consumers, should be at the very least be on the same level as the U.K. We should have protection for every single depositor mandated because we can do it and we must put an end to the shenanigans of the ID theft mobs.
Posted by (66 comments )
Reply Link Flag
I agree with and add to the statement the below
A year ago, January 2006, EDI Secure LLLP was purchased by IDPixie LLC which owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Jeffrey Ice. So to update EDI Secure LLLP's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.