|
As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present.
Since the now infamous ChoicePoint data breach 17 months ago, Congress has angrily talked of holding data brokers accountable for the security of consumers' personal identifiable information.
So far, it's still just that: talk.
In the interim, The Privacy Rights Clearinghouse has documented data security breaches affecting almost 90 million people who have had their personal information potentially exposed by unauthorized access to their data.
The list of ">breaches is long, including Bank of America, LexisNexis, DSW, MCI, Ameritrade, Time Warner, Boeing, Ford Motor Company, Verizon, MasterCard, Wells Fargo, the American Red Cross and a host of colleges and government agencies.
Congressman Barney Frank - Representing the 4th District of Massachusetts::
Congress. Quick Finder. FRANK: DATA SECURITY BILLS WILL TAKE US BACKWARDS state consumer protection laws, and preventing data breaches and identity theft.
http://www.house.gov/frank/fscdatasecurity.htmlHOME |
Data Breach Watch::
with up-to-date information, commentary and resources on data breaches. that these bills move quickly through Congress if they are going to keep up
http://www.databreachwatch.org/HOME |
The breaches run the gamut from lost backup tapes and laptops to inside jobs to hacking to just plain mishandling of data.
States have moved aggressively to protect their citizens, with at least 34 of them passing laws that require data brokers to notify individuals that their personal data has been compromised.
Most of those state laws also allow consumers to freeze their credit reports upon notification of a breach.
Congress, meanwhile, has held hearings and passed a handful of proposals out of committees. Neither the U.S. House nor Senate has yet to pass any law about data breaches and security.
With just 15 calendar days left on the 109th Congress' schedule, plus a seemingly inevitable lame-duck session after the November elections, federal lawmakers are still promising a data breach bill.
Just last week, the House Republican leadership almost decided to go with H.R. 3997, the Financial Data Protection Act.
Under the provisions of the legislation, data brokers would decide when a breach is serious enough to notify consumers.
It would also preempt all state laws, wiping out the protections afforded by mandatory disclosures and the ability to freeze credit reports.
"We believe this provision will result in many breaches not being disclosed to the affected individuals at all," the Privacy Rights Clearinghouse told its readers in a newsletter last week.
"We don't think companies that experience breaches, especially when Social Security numbers are involved, cannot foretell the future, at least not at this time."
Federal Information Security and Data Breach Notification Laws: Open ::
information security and data breach notification requirements included During the 110th Congress, three data security bills -- S. 239 (Feinstein), S.
http://opencrs.com/document/RL34120HOME |
The House leadership chose the Financial Data Protection Act, which passed out of the House Judiciary Committee in March, over H.R. 4127, the Data Accountability and Trust Act approved by the Energy and Commerce Committee in May.
The Data Accountability and Trust Act bill has received the lukewarm support of consumer groups and watchdogs if only because it's not the Financial Data Protection Act.
Setback for US data breach law News - PC Advisor::
after data breaches at ChoicePoint and LexisNexis set off a national debate about identification theft and data security, running out for Congress to pass a
http://www.pcadvisor.co.uk/news/index.cfm?newsid=6113HOME |
Cyber Security Industry Alliance Calls on Congress to Support Data ::
Data breaches continue to occur at every kind of organization -- schools, government agencies, health care providers, small businesses and large retail
http://www.govtech.com/gt/151157?topic=117688HOME |
The trigger language for disclosure in H.R. 4127 requires companies to notify individuals of a breach unless it can show otherwise that there is no reasonable risk of harm. Encrypted data, for instance, would be a defense against disclosure.
It would also preempt state laws but on a much a narrower basis.
In addition, the bill gives consumers new rights to review and dispute information held by data brokers.
"The data warehouses of information broker companies contain profiles on virtually every American adult, consisting of information obtained from public records and from other sources that are publicly available," the Privacy Rights Clearinghouse states.
"It's long overdue for consumers to have access to their data files and to make sure the information is correct."
In the Senate, the Judiciary Committee has approved the Personal Data Privacy and Security Act, which would require data brokers holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.
The disclosure clause of the bill would allow data brokers to avoid disclosure if the breach, as determined by the data brokers, poses "no significant risk" to consumers.
However, the brokers must report the breach to the U.S. Secret Service, which could conduct its own investigation of the risk to consumers.
The Senate Commerce Committee has its own version of consumer protection in the Identity Theft Protection Act, which would require data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.
Both Senate bills would preempt existing state laws.
In the rush of the closing days of the 109th Congress, lawmakers will have to make some hard decisions about which bills to support, if any.
If history is any indicator, they will take the easy way out.
| Security Bills in Progress |
| Bill |
Sponsor |
Status |
H.R. 4127
The Data Accountability and Trust Act
| Requires any entity that experiences a breach of security to notify those in the U.S. whose information was acquired by an unauthorized person as a result of the breach. In addition, they must let them know that the chance of identity theft is "reasonably likely." Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified. Preempts state information security laws. |
Passed House Energy and Commerce Committee in June. Awaits House vote. |
H.R. 3997
The Financial Data Protection Act
| Gives companies discretion in deciding whether a breach was serious enough to inform consumers. Would preempt stronger state laws. And while extending the concept of the security freeze nationwide, the bill would allow only individuals who have been victims of identity theft to freeze their records. |
Passed the House Financial Services Committee in March. Awaits House vote. |
H.R. 5318
Cyber-Security Enhancement and Consumer Data Protection Act
| Establishes new federal crimes for improper use of personal electronic records and other criminal activity involving computers. |
Passed the House Judiciary Committee in June. Awaits House vote. |
S. 1789
Personal Data Privacy and Security Act
| Companies must report data breaches that have a "significant risk of harm" for identity theft. The bill also would require most government agencies to notify any individuals whose information has been unlawfully accessed. It would require data brokers to provide individuals with their personally identifiable information and to change the information if it is incorrect. |
Passed Senate Judiciary Committee in November 2005. Awaits Senate vote. |
S. 1326
Notification of Risk to Personal Data Act
| In the event of a security breach that creates a "significant risk of identity theft," companies would be required to notify all individuals whose personal information was compromised. The bill also would create civil penalties for entities that fail to provide notice of security breaches to affected individuals. |
Passed Senate Judiciary Committee in October 2005. Awaits Senate vote. |
S. 1408
Identity Theft Protection Act
| Requires data breach disclosure to consumers if there is a reasonable risk of identity theft. Preempts state laws related to security breach notification. |
Passed Senate Commerce Committee in December 2005. Awaits Senate vote. | |
| Source: Previous internetnews.com coverage compiled by Roy Mark |
 AT&T to Offer Credit Checks After Data Hack
 House Plans Data Breach Disclosure Vote | 