July 28, 2005 12:11 PM PDT

Senate moves toward new data security rules

WASHINGTON--U.S. politicians signaled Thursday that they were eager to enact security breach and data safeguard laws, a move that indicates new federal regulations could reach President Bush's desk by the end of the year.

In a flurry of activity before Congress prepares to skip town for an August recess, three different congressional committees considered similar legislation at the same time on Thursday morning.

The Senate's Commerce Committee voted unanimously to accept a bill introduced earlier this month by Sen. Gordon Smith, R-Ore. It would give the Federal Trade Commission the power to create an information security program that provides "administrative, technical and physical safeguards," and set guidelines for notifying people threatened by a data security breach.

The committee adopted a package of about a dozen amendments, including a compromise suggested by Sen. Barbara Boxer, D-Calif., that would cut, from 90 days to 45 days, the maximum number of days a company has to notify individuals of a breach. But even those guidelines are just broad suggestions, Smith said. "As soon as they know, they need to notify."

Senators also voted to accept an amendment proposed by Sen. Bill Nelson, D-Fla.--which would prohibit the sale and display of Social Security numbers except in special circumstances--but indicated it might be tweaked before it is final. Also, the bill will not go to a floor vote until some of its provisions are negotiated with members of the Senate Banking Committee, said Sen. Ted Stevens, R-Alaska, who chairs the Commerce Committee.

Meanwhile, the Senate Judiciary Committee pushed back its plans Thursday to vote on a trio of personal data security bills.

The committee had been scheduled to vote on the lengthiest and most far-reaching proposal, titled the Personal Data Privacy and Security Act. Sen. Arlen Specter, R-Penn., and Sen. Patrick Leahy, D-Vt., introduced the measure in late June, shortly after MasterCard announced that an intruder may have pilfered information from 40 million credit card accounts.

At the same time on Thursday, a U.S. House of Representatives Energy and Commerce subcommittee convened a hearing about its own draft of data protection legislation.

Different details
All the proposed bills share common threads: requiring prompt notification when security breaches occur, awarding more regulatory power to the federal government, and setting minimum standards for data security.

The Specter-Leahy bill stands alone in setting criminal penalties, imposing up to five years in prison for those who intentionally conceal information related to a security breach and up to 10 years for breaking into systems maintained by "data brokers," companies in the business of selling personal information.

The proposed legislation would also restrict the sale and publication of Social Security numbers and compel companies and individuals acting as sole proprietors to send out notifications if a computer security breach affects more than 10,000 individuals. It also would limit the extent to which states can legislate on personal data protection.

The other Senate bills, by contrast, would bestow the bulk of enforcement and regulatory powers upon the Federal Trade Commission, overtly pre-empt any related state or local laws, and impose a range of monetary penalties on entities that don't provide notification of security breaches "without unreasonable delay." The guidelines for that notification, however, vary from measure to measure.

Federal regulations geared toward safeguarding personal information are nothing new. The Fair Credit Reporting Act, last updated in 2002, says credit report information can only be used for certain purposes. The Gramm-Leach-Billey Act of 1999 requires financial institutions to shield sensitive information and bars them from sharing their customers' information with third parties without giving them the option to say no. The FTC has urged Congress to broaden the law's provisions beyond financial institutions.

But former federal officials, academics and lawyers have cautioned lawmakers not to rush into new federal regulations. A former FTC commissioner warned that overly broad notification requirements could mean "we're going to cry wolf so much that we're going to move away from this great medium that we're working with." Also, courts have been invoking existing law to safeguard electronic privacy.

6 comments

Join the conversation!
Add your comment
Senate moves toward new data security rules
Senate moves toward new data security rules

Mr. AT Alishtari, POA and Founder EDI Secure LLLP, says the U.S. Senate Cybercrime treaty as suggested for ratification by the European Union is the best thing for establishing a global standard for public and private ID theft protection.

The powers that be in the G8 already recognize that getting authentication standards is in the interest of consumers even though many IT giants squawk saying two factor authentication is not enough or two factor authentication is hacked. This is like saying our ball is flat too when it is not. They forget to say US Commerce Dept level 3 two factor authentication is breached not level 4 two factor authentication with an offline swipe device.

This is where the government steps in and defines the top level 4 of industry authentication as two factor authentication with an offline device is not hackable and the shame is the IT giants know this but, well, they don't own it. It is good the U.S. Dept of Commerce National Institute for Standards and Technology, NIST, also knows it. The USPTO granted the single use credit card number ID patent given to EDI Secure on July 22, 2003, as a legal monopoly over the next 15 years. That patent is defined by the US, as the standard for public and private ID protection.

Sometimes a new MSN or IBM is created from just position. Apple is big after IBM missed PCs but it caught up. EDI Secure LLLP will be big since it owns the level 4 authentication the world says it needs to stop bank rape today. Call it dumb luck or an act of God. Either way this is a fact and U.S. consumers will beat a path to EDI Secure LLLP once they know, hey, I can be safe again.
Posted by (66 comments )
Reply Link Flag
Senate moves toward new data security rules
Senate moves toward new data security rules

Mr. AT Alishtari, POA and Founder EDI Secure LLLP, says the U.S. Senate Cybercrime treaty as suggested for ratification by the European Union is the best thing for establishing a global standard for public and private ID theft protection.

The powers that be in the G8 already recognize that getting authentication standards is in the interest of consumers even though many IT giants squawk saying two factor authentication is not enough or two factor authentication is hacked. This is like saying our ball is flat too when it is not. They forget to say US Commerce Dept level 3 two factor authentication is breached not level 4 two factor authentication with an offline swipe device.

This is where the government steps in and defines the top level 4 of industry authentication as two factor authentication with an offline device is not hackable and the shame is the IT giants know this but, well, they don't own it. It is good the U.S. Dept of Commerce National Institute for Standards and Technology, NIST, also knows it. The USPTO granted the single use credit card number ID patent given to EDI Secure on July 22, 2003, as a legal monopoly over the next 15 years. That patent is defined by the US, as the standard for public and private ID protection.

Sometimes a new MSN or IBM is created from just position. Apple is big after IBM missed PCs but it caught up. EDI Secure LLLP will be big since it owns the level 4 authentication the world says it needs to stop bank rape today. Call it dumb luck or an act of God. Either way this is a fact and U.S. consumers will beat a path to EDI Secure LLLP once they know, hey, I can be safe again.
Posted by (66 comments )
Reply Link Flag
SOS
Banks and other finacial instutions are going to water down any attempt to punish them for losing our personal data. They, both houses have to impose stiff and i mean stiff penalties before they really protect the data banks. If they had to pay a buck for every persons data they lost by what ever means, you can bet they would install real safe guards.
Posted by wtortorici (102 comments )
Reply Link Flag
On your SOS about ID theft in banks and law makers
I cannot agree with you more however this means we voters have to tell our legislators like they did in UK that we want stiff fines and implementation of not only 4 factor authentication that produces single use credit card numbers but the numbers themselves. That is what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
SOS
Banks and other finacial instutions are going to water down any attempt to punish them for losing our personal data. They, both houses have to impose stiff and i mean stiff penalties before they really protect the data banks. If they had to pay a buck for every persons data they lost by what ever means, you can bet they would install real safe guards.
Posted by wtortorici (102 comments )
Reply Link Flag
On your SOS about ID theft in banks and law makers
I cannot agree with you more however this means we voters have to tell our legislators like they did in UK that we want stiff fines and implementation of not only 4 factor authentication that produces single use credit card numbers but the numbers themselves. That is what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.