News
News
7/1/2005
03:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Congress Responds To Data-Security Fears

Legislation would mandate data-security programs and consumer notification

After months of headlines about lost and stolen consumer and employee data at banks, information brokers, retailers, and credit-card processors, it seemed inevitable that federal lawmakers would lay down new rules. Here they come.

Two senators last week proposed a bill mandating data-security management steps for many businesses and a nationwide standard for notifying consumers of security breaches. The legislation addresses the public's growing concern about identity theft; survey results released last week by Deloitte & Touche and the Center for Social and Legal Research indicate that 44 million Americans have been ID-theft victims.

The bill, introduced by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would require companies that store information on more than 10,000 people to create a data-privacy and protection program, including assessing, maintaining, and controlling risks to data privacy and security. Businesses would have to provide employee training, perform vulnerability tests, and ensure that third-party service providers have adequate security programs.

Companies that engage in interstate commerce would have to notify anyone whose personal information, such as name, Social Security number, or date of birth, has been affected by a security breach.

The bill's data-privacy and security requirements are modeled after tougher guidelines that the Office of the Comptroller of the Currency began applying in March to the banks it regulates. The bill exempts financial institutions and some health-care entities because they're covered under existing laws such as Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act.

By creating a national notification standard, the bill might help companies now facing a patchwork of state laws. Eighteen states have adopted disclosure laws, most of them patterned after California's; the national law would preempt those laws.

The bill would give consumers the right to review and correct information collected by information brokers such as Acxiom, ChoicePoint, and LexisNexis, all of which have experienced data breaches. It prohibits, with certain exceptions, the display, sale, and purchase of Social Security numbers without an individual's consent. ChoicePoint in March stopped selling most information products containing sensitive consumer data.

The notification rule exempts companies from notifying consumers of a security breach if a risk assessment conducted with law enforcement determines the risk of fraud is minimal. A "fraud-prevention exemption" excuses companies from notifi- cation if compromised data can't be used to commit fraud or if the company has a security program reasonably designed to block its use for fraudulent transactions.

Those exemptions provide incentives for companies to strengthen security programs, while reducing the need to report every incident, such as a lost tape with encrypted data. "The thing this bill does that's wise, that some of the other data-security-breach notification bills don't do, is tie the trigger for notification to judgment of the likelihood of harm," says Emily Hancock, an attorney at Steptoe & Johnson, who advises large companies and financial institutions on data security.

Credit-card companies appear to favor the bill. Visa is studying it, a spokeswoman says, but believes provisions--such as extending security and privacy requirements to nonfinancial institutions, restricting use of Social Security numbers, and creating a national notification standard--have a lot of merit.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.