News
News
7/1/2005
03:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Congress Responds To Data-Security Fears

Legislation would mandate data-security programs and consumer notification

After months of headlines about lost and stolen consumer and employee data at banks, information brokers, retailers, and credit-card processors, it seemed inevitable that federal lawmakers would lay down new rules. Here they come.

Two senators last week proposed a bill mandating data-security management steps for many businesses and a nationwide standard for notifying consumers of security breaches. The legislation addresses the public's growing concern about identity theft; survey results released last week by Deloitte & Touche and the Center for Social and Legal Research indicate that 44 million Americans have been ID-theft victims.

The bill, introduced by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would require companies that store information on more than 10,000 people to create a data-privacy and protection program, including assessing, maintaining, and controlling risks to data privacy and security. Businesses would have to provide employee training, perform vulnerability tests, and ensure that third-party service providers have adequate security programs.

Companies that engage in interstate commerce would have to notify anyone whose personal information, such as name, Social Security number, or date of birth, has been affected by a security breach.

The bill's data-privacy and security requirements are modeled after tougher guidelines that the Office of the Comptroller of the Currency began applying in March to the banks it regulates. The bill exempts financial institutions and some health-care entities because they're covered under existing laws such as Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act.

By creating a national notification standard, the bill might help companies now facing a patchwork of state laws. Eighteen states have adopted disclosure laws, most of them patterned after California's; the national law would preempt those laws.

The bill would give consumers the right to review and correct information collected by information brokers such as Acxiom, ChoicePoint, and LexisNexis, all of which have experienced data breaches. It prohibits, with certain exceptions, the display, sale, and purchase of Social Security numbers without an individual's consent. ChoicePoint in March stopped selling most information products containing sensitive consumer data.

The notification rule exempts companies from notifying consumers of a security breach if a risk assessment conducted with law enforcement determines the risk of fraud is minimal. A "fraud-prevention exemption" excuses companies from notifi- cation if compromised data can't be used to commit fraud or if the company has a security program reasonably designed to block its use for fraudulent transactions.

Those exemptions provide incentives for companies to strengthen security programs, while reducing the need to report every incident, such as a lost tape with encrypted data. "The thing this bill does that's wise, that some of the other data-security-breach notification bills don't do, is tie the trigger for notification to judgment of the likelihood of harm," says Emily Hancock, an attorney at Steptoe & Johnson, who advises large companies and financial institutions on data security.

Credit-card companies appear to favor the bill. Visa is studying it, a spokeswoman says, but believes provisions--such as extending security and privacy requirements to nonfinancial institutions, restricting use of Social Security numbers, and creating a national notification standard--have a lot of merit.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.