June 29, 2005 9:00 PM PDT

Senators propose sweeping data-security bill

An avalanche of new rules for corporate data security and stiff penalties for information burglars are included in a far-reaching bill introduced Wednesday in the U.S. Senate.

The bill represents the most aggressive--and at 91 pages, the most regulation-oriented--legislative proposal crafted so far in response to a slew of high-profile security breaches in the last few months.

"Reforms like these are long overdue," Sen. Patrick Leahy, a Vermont Democrat, said in a floor speech. "This issue and our legislation deserve to become a key part of this year?s domestic agenda so that we can achieve some positive changes in areas that affect the everyday lives of Americans."

One portion of the bill, named the Personal Data Privacy and Security Act, restricts the sale or publication of Social Security numbers. Also, businesses would be prohibited from requiring SSNs except in a narrow set of circumstances such as obtaining credit reports and applying for a job or an apartment.

Leahy, who had hinted at his plans in a speech in March and had his personal information lost by Bank of America, is co-sponsoring the bill with Pennsylvania Sen. Arlen Specter. Because Specter is the Republican chairman of the influential Judiciary Committee, the measure could move swiftly through the normally torpid legislative process.

"This is an evolving problem that is gigantic," Specter said at a press conference in the Capitol building. He predicted quick action because "we're not dealing with a highly controversial subject where there will be significant differences of opinion."

While portions of the proposal are sure to be criticized by businesses that would be faced with more paperwork and compliance requirements, Congress nevertheless seems eager to act. In speech after speech, politicians have pledged to enact more laws to respond to the data mishaps--promises that have occasionally raised eyebrows because many of the intrusions were already illegal.

Spurring politicians along has been series of security snafus involving firms including ChoicePoint--which claims to have fixed its problems--Bank of America, payroll provider PayMaxx, and Reed Elsevier Group's LexisNexis service. Other suggestions have included narrower measures to restrict the sale of SSNs or mandate notices of security breaches.

The Personal Data Privacy and Security Act would:

• Erect a complex regulatory infrastructure around "data brokers," defined as any company or nonprofit that is "collecting, transmitting, or otherwise providing personally identifiable information" of 5,000 or more people that are not customers or employees. Data brokers are required to follow European-style guidelines, including mandatory disclosure of a record to that individual.

• Rewrite computer crime laws to create new penalties for database intrusions. The punishments: Fines and 10 years in prison for trespassing in a "data broker's" system, and five years in prison if a company or individual "willfully" conceals certain types of serious security breaches.

• Mandate a "comprehensive personal data privacy and security program" for most businesses and individuals acting as sole proprietors--akin to what the Gramm-Leach-Bliley Act required.

• Order companies and individuals acting as sole proprietors to offer notifications if a computer security breach "impacts more than 10,000 individuals."

• Require review of federal sentencing guidelines for misuses of personally identifiable information, and authorize the Justice Department to hand grants to states to "enhance enforcement" of ID fraud-related crimes.

• Create additional "privacy impact assessments" when a federal agency relies on a commercial database consisting "primarily" of information on U.S. citizens. If the database were worldwide in scope and did not consist "primarily" of U.S. citizen information, the requirement would not apply. Also, individual screening programs by federal agencies would have to be explicitly authorized by Congress.

The web of rules surrounding the "data broker" definition could prove problematic, warns Jim Harper, director of information policy at the free-market Cato Institute and a member of the Department of Homeland Security's data privacy advisory committee.

"This is a disaster," Harper said, referring to the portion of the bill that permits individuals to access their records held by data brokers. "The idea is to increase security. But opening databases to access is not increasing security. The issue is supposed to be security, and they're going to make databases less secure."

Harper also warned that the definition of "data broker" might cover news or gossip Web sites that publish personal information in articles, alumni organizations, charities and more. They would be subject to database access requirements. "I can't imagine all the different entities that would fall into that realm," he said.

CNET News.com's Anne Broache contributed to this report.

2 comments

Join the conversation!
Add your comment
Concerned about the focus on Sole Proprietors
I'm a bit concerned about the focus on Sole Proprietors. What is
not discussed is the expected cost of implementing these
"mandatory" regulations. Nor at what level do they kick in. If I
simply keep customer names, addresses, and email addresses
(but no financial info, CC#, SSN, etc) -- am I still going to be hit
with huge regulation requirements that could crush my
business?

Depending on the mandatory requirements, this could wipe out
many small businesses. I'm not saying small businesses should
be giving out information -- but I don't think that they are (as a
general rule). We value our small customer base too much.

As a reminder, it has been the big companies (data brokers,
banks, credit card issuers) that have been spewing private and
financial information like a waterfall.
Posted by m.meister (278 comments )
Reply Link Flag
Concerned about the focus on Sole Proprietors
I'm a bit concerned about the focus on Sole Proprietors. What is
not discussed is the expected cost of implementing these
"mandatory" regulations. Nor at what level do they kick in. If I
simply keep customer names, addresses, and email addresses
(but no financial info, CC#, SSN, etc) -- am I still going to be hit
with huge regulation requirements that could crush my
business?

Depending on the mandatory requirements, this could wipe out
many small businesses. I'm not saying small businesses should
be giving out information -- but I don't think that they are (as a
general rule). We value our small customer base too much.

As a reminder, it has been the big companies (data brokers,
banks, credit card issuers) that have been spewing private and
financial information like a waterfall.
Posted by m.meister (278 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.