By Declan McCullagh
Staff Writer, CNET News.com
June 29, 2005
Corporate data-security practices would be hit with an avalanche of
new rules and information burglars would face stiff new penalties
under a far-reaching bill introduced Wednesday in the U.S. Senate.
The bill represents the most aggressive--and at 91 pages, the most
regulatory--legislative proposal crafted so far in response to a slew
of high-profile security breaches in the last few months.
"Reforms like these are long overdue," Sen. Patrick Leahy, a Vermont
Democrat, said in a floor speech. "This issue and our legislation
deserve to become a key part of this year=92s domestic agenda so that we
can achieve some positive changes in areas that affect the everyday
lives of Americans."
One portion of the bill, named the Personal Data Privacy and Security
Act, restricts the sale or publication of Social Security numbers.
Also, businesses would be prohibited from requiring SSNs except in a
narrow set of circumstances such as obtaining credit reports and
applying for a job or an apartment.
Leahy, who had hinted at his plans in a speech in March and had his
personal information lost by Bank of America, is co-sponsoring the
bill with Pennsylvania Sen. Arlen Specter. Because Specter is the
Republican chairman of the influential Judiciary committee, the
measure could move swiftly through the normally torpid legislative
"This is an evolving problem that is gigantic," Specter said at a
press conference in the Capitol building. He predicted quick action
because "we're not dealing with a highly controversial subject where
there will be significant differences of opinion."
While portions of the proposal are sure to be criticized by businesses
that would be faced with more paperwork and compliance requirements,
Congress nevertheless seems eager to act. In speech after speech,
politicians have pledged to enact more laws to respond to the data
mishaps--promises that have occasionally raised eyebrows because many
of the intrusions were already illegal.
Spurring politicians along has been series of security snafus
involving firms including ChoicePoint--which claims to have fixed its
problems--Bank of America, payroll provider PayMaxx, and Reed Elsevier
Group's LexisNexis service. Other suggestions have included narrower
measures to restrict the sale of SSNs or mandate notices of security
Targeting "data brokers"
The Personal Data Privacy and Security Act would:
* Erect a complex regulatory infrastructure around "data brokers,"
defined as any company or nonprofit that is "collecting,
transmitting, or otherwise providing personally identifiable
information" of 5,000 or more people that are not customers or
employees. Data brokers are required to follow European-style
guidelines, including mandatory disclosure of a record to that
* Rewrite computer crime laws to create new penalties for database
intrusions. The punishments: Fines and 10 years in prison for
trespassing in a "data broker's" system, and 5 years in prison if a
company or individual "willfully" conceals certain types of serious
* Mandate a "comprehensive personal data privacy and security
program" for most businesses and individuals acting as sole
proprietors--akin to what the Gramm-Leach-Bliley Act required.
* Order companies and individuals acting as sole proprietors to offer
notifications if a computer security breach "impacts more than
* Require review of federal sentencing guidelines for misuses of
personally identifiable information, and authorize the Justice
Department to hand grants to states to "enhance enforcement" of ID
* Create additional "privacy impact assessments" when a federal agency
relies on a commercial database consisting "primarily" of
information on U.S. citizens. If the database were worldwide in
scope and did not consist "primarily" of U.S. citizen information,
the requirement would not apply. Also, individual screening programs
by federal agencies would have to be explicitly authorized by
Previous Next The web of rules surrounding the "data broker"
definition could prove problematic, warns Jim Harper, director of
information policy at the free-market Cato Institute and a member of
the Department of Homeland Security's data privacy advisory committee.
"This is a disaster," Harper said, referring to the portion of the
bill that permits individuals to access their records held by data
brokers. "The idea is to increase security. But opening databases to
access is not increasing security. The issue is supposed to be
security and they're going to make databases less secure."
Harper also warned that the definition of "data broker" might cover
news or gossip Web sites that publish personal information in
articles, alumni organizations, charities and more. They would be
subject to database access requirements. "I can't imagine all the
different entities that would fall into that realm," he said.
CNET News.com's Anne Brouche contributed to this report.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.