Pressure Builds in Congress To Address Data-Security Breaches

With the loss or theft of computerized personal information making headlines almost daily, lawmakers are scrambling for solutions for what is shaping up to be the 21st Century's hottest non-violent crime. More than a dozen bills that would put new requirements on banks and other entities with access to sensitive consumer information in the aftermath of data breaches have been introduced in the 109th Congress. The most recent is the Data Security Act of 2006 introduced this week by U.S. Sens. Robert F. Bennett, R-Utah, and Thomas R. Carper, D-Del. The bill would set notification standards for when security breaches occur and uniform national standards for storing electronic and paper-based data in a secure manner. “Given what we've seen happen recently with the security lapses at the Veterans Administration and other financial institutions, it's imperative that we write a national law to help protect consumers from being victims of identity theft,” Carper said in a press release issued jointly with Bennett. “This bill would require all financial institutions, retailers and government agencies to maintain strong internal safety protections for the data they hold, to quickly investigate any security breach, and notify law enforcement, regulators, and the public when there's a real risk of harm.” Personal data that would be covered by the bill's provisions include Social Security, taxpayer identification, and driver's license numbers. Covered financial data would include bank account and credit/debit card numbers in combination with any access codes used with them. The notification provision would not require that a covered entity such as a bank inform customers of every breach, only those presenting the threat of “substantial harm or inconvenience” through identity theft or account fraud, according to a background paper from the sponsors. The bill would preempt existing laws in more than 30 states. The sponsors say some of these state laws have inconsistent or conflicting standards resulting in uneven protection for consumers and, for businesses, high costs and difficulties with compliance, especially for small financial institutions. With seemingly so many security breaches of late?the one mentioned by Carper involves data on about 26 million veterans or military personnel stolen from a laptop (Digital Transactions News, June 22)?it's no surprise Congress is weighing in. According to the Senate's Web site, some 11 bills relating to identity theft have been introduced in that body during the current Congressional session, and six have been introduced in the House of Representatives. But devising workable security standards and a practical policy for when and how consumers should be notified of a breach is no easy task, according to Heather Mark, director of industry marketing for Santa Clara, Calif.-based data-security firm Vormetric Inc. “In order to make a law that everybody can comply with, it's got to be a little bit vague,” she says. “But that, of course creates problems.” The Bennett-Carper bill is modeled on the Gramm-Leach-Bliley Act of 1999, the sweeping law that modernized the U.S. financial industry's structure and contained a number of privacy provisions. For banks, that means their current “functional regulators” would be in charge of security oversight, and for non-bank firms covered by the proposed law, such as retailers and national credit-reporting agencies, the Federal Trade Commission would take the lead. Both Bennett and Carper are members of the Senate Committee on Banking, Housing and Urban Affairs. Bennett chairs that panel's Financial Institutions subcommittee.