News
News
6/30/2005
04:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Senate Ponders Toughest Data Protection Bill Yet

A wide-ranging data protection bill would send officials from companies who do not disclose security breaches to jail for up to five years, and would apply the RICO Act to identity theft gangs.

Two senior U.S. Senators introduced a wide-ranging data protection bill Wednesday that would send officials from companies who do not disclose security breaches to jail for up to five years, and bring the RICO Act to bear on identity theft gangs.

As anticipated, Sen. Arlen Specter (R-Pa.), the chairman of the Judiciary Committee, and that committee's ranking member, Sen. Patrick Leahy (D-Vt.) rolled out the most aggressive bill yet in reaction to the wave of security gaffes that have exposed millions of Americans' identities since the first of the year.

Among its provisions, the Personal Data Privacy and Security Act of 2005 would create a new computer crime classification -- aggravated fraud -- that would add two years of additional jail time for obtaining or access another's digital ID; severely restrict the use of Social Security numbers as account identifiers or numbers; and hold company executives responsible if they hide a data breach.

"It's time for Congress to catch up with the data market and show the American people that we are aware of these threats and will protect the privacy and security of their personal information," Leahy said from the Senate floor Wednesday as he and Specter introduced the bill.

"Reforms like these are long overdue," Leahy added.

Both Leahy and Specter predicted quick passage of the bill, which is the first to sport a Republican as sponsor. Several other bills that take on the data exposure problem have come from several prominent Democrats, including Dianne Feinstein (D-Calif.) and Charles Schumer (D-N.Y.).

The legislation would:

-- Add new penalties to the books by extending computer fraud to cover unauthorized access of data brokers' systems (the statute already covers financial institutions and credit card issuers), meaning that criminals could face up to 10 years in jail; giving the government the power to invoke racketeering charges using the RICO statue to prosecute criminal gangs trading in identities; and putting company officials in prison for up to 5 years if they conceal a data breach.

-- Enact a bevy of new regulations that cover "data brokers," defined as business or non-profits "in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals." Among the regulations: data brokers would have to allow consumers the chance to change their information, and as with a credit report, receive a copy of that information at their request.

-- Require businesses not already covered by the Gramm-Leach-Bliley Act or HIPPA (Health Insurance Portability and Accountability Act of 1996) to create a data privacy and security program. That part of the Leahy-Specter bill also expands disclosure rules nationwide, and mandates that customers be informed of any security breach involving more than 10,000 people, or that revolved around a database with more than a million entries.

-- Limit the ways that Social Security numbers can be used as account numbers. This section also bans the sale of Social Security numbers, one of the data bits sold to fraudsters by ChoicePoint in 2004 and disclosed in February 2005.

-- And forces the General Services Administration (GSA) to review government contractors' the privacy and security programs before awarding contracts. This last item came from the recent news that the Internet Revenue Service had awarded a $20 million contract to ChoicePoint.

"It's especially galling to be rewarding firms that have been so careless with the public's confidential information," said Leahy on the floor. "We should at least take a pause before rewarding such missteps with even more government contracts."

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 17, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.