Congress mulls new rules on protecting personal data

 

Connecting state and local government leaders

Government workers probably wish it happened earlier, but support is finally growing for federal regulation of personal information held by private companies. In February, Bank of America Corp. lost personal data, including Social Security numbers, for 1.2 million federal charge card holders.

'Other laws, such as the Driver's Privacy Protection Act and the Health Insurance Portability and Accountability Act, also restrict the disclosure of certain types of information, but are not enforced by the commission,' Majoras said.The current patchwork of laws leaves gaps in their coverage, Specter said.The closest thing to a national standard now is a 2003 California law requiring companies to notify individuals when unencrypted personal information might have been compromised. Because so many companies do business in California, the law has become a de facto standard nationwide.That law is credited with leading to the exposure of the recent string of security breaches.Sanford and Curling acknowledged that LexisNexis and ChoicePoint had suffered losses of data prior to 2003 that were not reported.'We would not know of these breaches if it were not for the California law,' said Sen. Dianne Feinstein (D-Calif.).Feinstein has introduced two bills patterned on the California law that would require notification when personal data is exposed.But not everyone agrees that legislation is needed. 'I'm not a big fan of legislation,' Howard Schmidt, former special advisor to the president for cybersecurity, said at the CSIS discussion.If federal legislation is inevitable, it should be crafted with input from industry to ensure it is not overly burdensome, he said.'Currently, that dialog is not taking place,' he said of current proposed legislation. 'It's a knee-jerk reaction.'

Government workers probably wish it happened earlier, but support is finally growing for federal regulation of personal information held by private companies. In February, Bank of America Corp. lost personal data, including Social Security numbers, for 1.2 million federal charge card holders.

What form any new regulations would take is unclear, and not everyone is convinced the government should get involved in the first place. But with each new revelation that citizens' privacy has been compromised, pressure mounts to close the data spigots. Ironically, such regulations could affect government consumers of commercial data, such as the FBI.

'I believe there will be some very firm federal regulations coming out of this issue,' Sen. Arlen Specter (R-Pa.) said during a recent hearing of the Senate Judiciary Committee on electronic personal data.

The hearing was called in the wake of a spate of incidents in which sensitive information about hundreds of thousands of individuals had been lost or stolen. Three senators at the hearing said they recently introduced or will reintroduce legislation to secure and control the handling of personal data.

When pressed by senators, representatives of three companies, all of which suffered security breaches, said they would support some level of regulation.

'Adoption of additional legislation may be appropriate,' said Jennifer T. Barrett, chief privacy officer of Acxiom Corp. of Little Rock, Ark. Acxiom provides background screening, credit reports, Social Security number traces and other services. In 2003, a man was arrested and pleaded guilty to hacking an Acxiom server and downloading millions of records. Authorities said he never used the information fraudulently.

Data losses

The hearing came one day after LexisNexis Group of Dayton, Ohio, reported that information on as many as 310,000 individuals might have been stolen from its databases over the past two years.

'We sincerely regret these incidents,' said Kurt P. Sanford, CEO of the company's corporate and federal markets.

Also apologizing at the hearing was Douglas C. Curling, chief operating officer of ChoicePoint Inc. of Alpharetta, Ga., which recently announced it had sold data on as many as 145,000 individuals to phony clients. Data about hundreds of thousands of other people has recently been lost or stolen from banks, a retailer and a California university.

Much of the legislators' current attention is focused on data brokers, such as LexisNexis and ChoicePoint, which aggregate and sell data on individuals. This information supports much of the nation's credit market and is used for background checks and criminal investigations.

The government is a major consumer of these services. The FBI has contracts with many data brokers and paid $75 million last year to ChoicePoint. Chris Swecker, assistant director of the criminal investigative division, said the bureau made about one million queries to data brokers in fiscal 2003, and made 1.2 million queries to ChoicePoint alone in 2004.

Under a bill introduced by Senator Charles E. Schumer (D-N.Y.), data brokers would have to track how their clients access data and provide reports to consumers when their personal data is accessed. As currently written, the bill includes no exemptions for law enforcement agencies accessing personal data, although the FTC mould exempt any data merchant from the regulations, in whole or in part, if the commission determines that exemption is in the public interest.

In addition, a 2003 measure likely to be reintroduced by Sen. Russ Feingold (D-Wis.) would require agencies to report to Congress how they mine commercial data.

Swecker said the FBI does not perform data mining, and only makes queries on specific individuals. But there are no guarantees on the accuracy of the data returned.

'That's why we have contracts with all of these companies, to cross-check data,' he said.

Few of the breaches reported recently were the result of hacking. People using valid user names and passwords took data from both ChoicePoint and LexisNexis. Other data was on lost back-up tapes and a stolen notebook computer. These kinds of losses should be easy to prevent or mitigate, said Arthur Coviello, CEO of RSA Security Inc. of Bedford, Mass.

'Shame on those people,' for not employing basic tools such as strong access controls, data encryption and customer authentication, Coviello said at a recent panel discussion hosted by the Center for Strategic and International Studies in Washington.

'We need some level of federal regulation,' he said.

Although there is no law specifically regulating data brokers or the disclosure of consumer information, a number of federal laws do apply in this area, said Deborah Platt Majoras, chairwoman of the Federal Trade Commission, including:

  • The Fair Credit Reporting Act, which is undergoing changes at the FTC to implement new provisions that target ID theft

  • Title V of the Gramm-Leach-Bliley Act, which covers consumer information privacy

  • Section 5 of the FTC Act, which protects consumers against deceptive practices.












Federal action debated








WEB EXTRA: Three potential data privacy laws Senators are considering. GCN.com/415, at www.gcn.com
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.