News
News
7/1/2005
03:35 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Congress Responds To Data-Security Fears

Legislation would mandate data-security programs and consumer notification

After months of headlines about lost and stolen consumer and employee data at banks, information brokers, retailers, and credit-card processors, it seemed inevitable that federal lawmakers would lay down new rules. Here they come.

Two senators last week proposed a bill mandating data-security management steps for many businesses and a nationwide standard for notifying consumers of security breaches. The legislation addresses the public's growing concern about identity theft; survey results released last week by Deloitte & Touche and the Center for Social and Legal Research indicate that 44 million Americans have been ID-theft victims.

The bill, introduced by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would require companies that store information on more than 10,000 people to create a data-privacy and protection program, including assessing, maintaining, and controlling risks to data privacy and security. Businesses would have to provide employee training, perform vulnerability tests, and ensure that third-party service providers have adequate security programs.

Companies that engage in interstate commerce would have to notify anyone whose personal information, such as name, Social Security number, or date of birth, has been affected by a security breach.

The bill's data-privacy and security requirements are modeled after tougher guidelines that the Office of the Comptroller of the Currency began applying in March to the banks it regulates. The bill exempts financial institutions and some health-care entities because they're covered under existing laws such as Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act.

By creating a national notification standard, the bill might help companies now facing a patchwork of state laws. Eighteen states have adopted disclosure laws, most of them patterned after California's; the national law would preempt those laws.

The bill would give consumers the right to review and correct information collected by information brokers such as Acxiom, ChoicePoint, and LexisNexis, all of which have experienced data breaches. It prohibits, with certain exceptions, the display, sale, and purchase of Social Security numbers without an individual's consent. ChoicePoint in March stopped selling most information products containing sensitive consumer data.

The notification rule exempts companies from notifying consumers of a security breach if a risk assessment conducted with law enforcement determines the risk of fraud is minimal. A "fraud-prevention exemption" excuses companies from notifi- cation if compromised data can't be used to commit fraud or if the company has a security program reasonably designed to block its use for fraudulent transactions.

Those exemptions provide incentives for companies to strengthen security programs, while reducing the need to report every incident, such as a lost tape with encrypted data. "The thing this bill does that's wise, that some of the other data-security-breach notification bills don't do, is tie the trigger for notification to judgment of the likelihood of harm," says Emily Hancock, an attorney at Steptoe & Johnson, who advises large companies and financial institutions on data security.

Credit-card companies appear to favor the bill. Visa is studying it, a spokeswoman says, but believes provisions--such as extending security and privacy requirements to nonfinancial institutions, restricting use of Social Security numbers, and creating a national notification standard--have a lot of merit.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.