April 11, 2005 3:52 PM PDT
Tougher data-leak law proposed
- Related Stories
Boston College reveals alumni data breachMarch 17, 2005
ChoicePoint: We're sorry for data leakMarch 15, 2005
Privacy advocates frown on Amazon snooping planMarch 14, 2005
Senator predicts 'overdue' changes to privacyMarch 10, 2005
LexisNexis break-in spurs more calls for reformMarch 9, 2005
The update adds new guidelines on types of data covered and reporting policies to the ID Theft Notification Bill, proposed by the California Democrat in June 2003. The legislation would require organizations that collect the personal data of U.S. citizens to inform consumers when their information has been lost or stolen.
Lawmakers became focused on privacy protection after consumer data broker ChoicePoint gave criminals access to the confidential information of more than 35,000 Californians. Since that mishap was first reported in February, numerous other organizations, including hospitals, schools and businesses, have reported exposures of data.
"Every day, we learn that we are more and more at risk from identity theft--entire databases have been lost, stolen or hacked into," Feinstein said in a statement. "We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified," she added.
Feinstein's bill, which requires organizations to inform people in writing or via e-mail when their data has been exposed, closely resembles California's Security Breach Information Act (SB 1386). Currently, California is the only state that has a law requiring consumer notification on its books.
The updated proposal adds details about the formats of information covered by the legislation. It now covers both electronic and nonelectronic data, as well as encrypted and nonencrypted information. The California law only includes unencrypted, electronic data.
Another new element is related to consumer credit reports. People will be allowed to put a seven-year fraud alert on their report when their personal information has been compromised. The bill also promises to close some perceived loopholes in SB 1386 by eliminating rules that allowed companies to follow less-stringent reporting policies and by creating an official template for the kinds of information that must be included in data-loss warnings.
Feinstein said she worked with representatives from the Consumers Union, the Privacy Rights Clearinghouse and other privacy-rights groups to strengthen the legislation. The Senate Judiciary Committee will hold a hearing to examine the bill on April 13.