Congress Responds To Data-Security Fears - InformationWeek
03:35 PM

Congress Responds To Data-Security Fears

Legislation would mandate data-security programs and consumer notification

After months of headlines about lost and stolen consumer and employee data at banks, information brokers, retailers, and credit-card processors, it seemed inevitable that federal lawmakers would lay down new rules. Here they come.

Two senators last week proposed a bill mandating data-security management steps for many businesses and a nationwide standard for notifying consumers of security breaches. The legislation addresses the public's growing concern about identity theft; survey results released last week by Deloitte & Touche and the Center for Social and Legal Research indicate that 44 million Americans have been ID-theft victims.

The bill, introduced by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would require companies that store information on more than 10,000 people to create a data-privacy and protection program, including assessing, maintaining, and controlling risks to data privacy and security. Businesses would have to provide employee training, perform vulnerability tests, and ensure that third-party service providers have adequate security programs.

Companies that engage in interstate commerce would have to notify anyone whose personal information, such as name, Social Security number, or date of birth, has been affected by a security breach.

The bill's data-privacy and security requirements are modeled after tougher guidelines that the Office of the Comptroller of the Currency began applying in March to the banks it regulates. The bill exempts financial institutions and some health-care entities because they're covered under existing laws such as Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act.

By creating a national notification standard, the bill might help companies now facing a patchwork of state laws. Eighteen states have adopted disclosure laws, most of them patterned after California's; the national law would preempt those laws.

The bill would give consumers the right to review and correct information collected by information brokers such as Acxiom, ChoicePoint, and LexisNexis, all of which have experienced data breaches. It prohibits, with certain exceptions, the display, sale, and purchase of Social Security numbers without an individual's consent. ChoicePoint in March stopped selling most information products containing sensitive consumer data.

The notification rule exempts companies from notifying consumers of a security breach if a risk assessment conducted with law enforcement determines the risk of fraud is minimal. A "fraud-prevention exemption" excuses companies from notifi- cation if compromised data can't be used to commit fraud or if the company has a security program reasonably designed to block its use for fraudulent transactions.

Those exemptions provide incentives for companies to strengthen security programs, while reducing the need to report every incident, such as a lost tape with encrypted data. "The thing this bill does that's wise, that some of the other data-security-breach notification bills don't do, is tie the trigger for notification to judgment of the likelihood of harm," says Emily Hancock, an attorney at Steptoe & Johnson, who advises large companies and financial institutions on data security.

Credit-card companies appear to favor the bill. Visa is studying it, a spokeswoman says, but believes provisions--such as extending security and privacy requirements to nonfinancial institutions, restricting use of Social Security numbers, and creating a national notification standard--have a lot of merit.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll