AT&T Tech Support 360
September 30, 2005 2:01 PM PDT
Data-security bill may move forward next week
- Related Stories
-
Roberts vote may delay data security debate
September 20, 2005 -
Senate moves toward new data security rules
July 28, 2005 -
Panel: Don't rush into new data security laws
July 22, 2005 -
Senators propose sweeping data-security bill
June 29, 2005 -
LexisNexis flap draws outcry from Congress
April 12, 2005
Sen. Arlen Specter, a Pennsylvania Republican, and Sen. Patrick Leahy, a Vermont Democrat, originally introduced the Personal Data Security and Privacy Act in June as part of a legislative outcry directed at a series of breaches by big-name companies such as ChoicePoint, Bank of America and Visa.
A number of related proposals also surfaced during this congressional term, including one approved by the Senate Committee on Commerce, Science & Transportation just before the summer recess that has yet to head to floor debate. And in the Senate Committee on the Judiciary, where Specter is chairman and Leahy is the highest ranking Democrat, action on the matter has been delayed for months because of other business, including the nomination of now-Chief Justice John Roberts to the Supreme Court.
On Wednesday, Specter and Leahy introduced an amended version of their June proposal. The new version omits a section that would have severely restricted the sale and use of social security numbers by businesses and other entities. According to a committee representative, the provision was dropped because another congressional committee has jurisdiction over such regulations.
Leahy said in a floor speech Wednesday that various stakeholders had come together to make the bill better balanced and focused. Certain terms--including "data broker," the initial definition of which prompted questions--appear to be defined more narrowly or in greater detail, though it remains unclear what the practical implications of those changes are.
Tough criminal penalties--including up to five years in prison for concealing security breaches involving sensitive personal information and economic damage to even one person--remain in the offing.
So do minimum security and privacy standards for companies that deal with electronic data records containing "sensitive personally identifiable information," defined in the newer bill as any information that uses an individual's name in combination with certain other elements, including Social Security number, medical history, mother's maiden name, account numbers and biometric data.
The amended bill also folds in notification requirements suggested by Sen. Dianne Feinstein, a California Democrat, who signed on as a co-sponsor of the new version.
Among other things, the bill would require that, on discovering a data breach, any agency or business entity that "uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information" notify any U.S. resident whose data was subject to the intrusion "without unreasonable delay." It also spells out methods of notification and describes situations where delays or exemptions would be permitted.
Feinstein introduced the provisions during the spring in a shorter, narrower measure, known as the Notification of Risk to Personal Data Act. She and Specter said at a business meeting Thursday that they'd pursue the larger bill first but, if they couldn't move it out of committee speedily, that they would attempt to advance Feinstein's shorter proposal.
See more CNET content tagged:
Patrick Leahy,
personally identifiable information,
Democrat,
data security,
social security number
ID theft cannot be stopped by one bill nor can one levee stop a hurricanes flood surge. The ID theft problem is like a natural disaster that requires the co-ordination of all civil sources.
The U.S. is the only G8 nation responding by setting standards but not mandating protection as Germany, Japan, both Chinas and most of the civilized countries are doing. Are we nuts?
Not only did others sign or ratify the Cybercrime Treaty before the U.S. but their citizens and consumers held their politicians hands to the fire. That same treaty the U.S. Senate only put forward two years tardy in July 2005.
However, the rest of the G8, aside from the U.S., mandates two-factor authentication with offline devices to protect their consumers by taking the PIN and ID offline. The U.K. bankers like the U.S. resisted it until the U.K. residents boycotted e-commerce demanding this protection.
So what do we need. We need to know someone in Russia or Nigeria cannot sneak into our accounts while we are asleep and impoverish us with no recorse. We need good technological protection and international coordination to fight this war of the worms that Visa and charge card platforms and all banks reluctantly admitted last week in a conference they are losing.
Maybe the problem here is the U.S. consumers are not as educated or motivated yet about the ID theft and bank rap problem and its solutions like the British are. So as glad as I am to see whatever measures the U.S. does, I as a citizen say more is needed. Lets lead the charge and not be dragged by other nations to cover our own rears.
The ID theft threat in the U.S. is like the last couple of Hurricaines; too little often too late. The consumers and citizens need better protection that just setting standards at the Dept of Commerce and saying you can choose level 4 authentication if you want it.
Tell that to the seniors who lose funds and have no recourse or to the widows and orphans trusts that the crooks steal their cash as their statute of limitations expires so banks say tough luck.
We, meaning the U.S. consumers, should be at the very least be on the same level as the U.K. We should have protection for every single depositor mandated because we can do it and we must put an end to the shenanigans of the ID theft mobs.