Senate poised to pass national breach-notification law -- or maybe not
Connecting state and local government leaders
A Senate Judiciary Committee staffer says the odds look good for passing a comprehensive data protection act. Then we can move on to updating FISMA.
America could use a good data protection law, one that would set some standards for protecting sensitive personal information and establish a national requirement for data breach notification. One staffer for the Senate Judiciary committee says this might be the year we get it. Or maybe next year.
“I’m optimistic,” said Lydia Griggsby, the committee’s chief counsel for privacy and information policy. “Hopefully, this year will be the year.”
She is talking about S.1490, the Personal Data Privacy and Security Act of 2009, introduced by Sen. Patrick J. Leahy (D-Vt.) in July and now being considered by the Judiciary Committee. If it doesn’t move to the Senate floor this year, there is always next year, the final session of the current Congress. But the bill has been introduced in two previous congresses and has twice made it out of the committee without being passed by the Senate.
The difference this year, Griggsby said, is that Congress has become better educated about cybersecurity and data security issues over the past five years. Identity theft has become a hot issue, and agencies are repeatedly being dinged in the press with reports of data breaches that have exposed personally identifiable information.
“We are hopeful that this year we will see it move to the floor,” Griggsby said at a recent panel discussion on cybersecurity issues.
It wouldn’t be a minute too soon. Public- and private-sector officials on the panel recited the familiar litany of the exponential growth of online threats.
“Cyber threats have exploded in the last year,” said David Thompson, chief information officer of Symantec.
Overwhelmingly, those threats are targeted at the theft of personal and financial information that can be sold on a burgeoning black market and used to fraudulently obtain credit and abuse existing accounts.
A patchwork of state laws has grown up in recent years requiring organizations holding personal information to notify individuals when that information is exposed. This has been a big step forward in data protection, giving millions of potential identity theft victims a heads up when they might be at risk and highlighting identity theft as a major crime issue. But just about everybody agrees that a national standard would be an improvement, although there is concern that federal preemption of state laws could gut some of the stronger standards states have put into place and might limit citizens’ legal recourse.
Leahy’s bill would make theft of personal information liable to federal racketeering charges and prohibit concealment of the breaches, as well as requiring victim notification. Consumer reporting agencies also would have to be notified of breaches involving more than 5,000 individuals, and the Secret Service if more than 10,000 individuals are involved.
Perhaps most important, it would establish standards for safeguards to protect the security of sensitive personally identifiable information and impose civil penalties on businesses for violating them. The U.S. Attorney General, as well as state attorneys general, could bring civil actions for violations.
Observers doubtlessly will disagree on whether Leahy’s bill is the one that should be passed, but it would be nice to see some data protection and privacy legislation getting some traction. Then Congress can turn its attention to updating the Federal Information Security Management Act. A lot has been done under FISMA, but the IT and threat landscapes have changed dramatically in the seven years since it was passed. Thousands of government officials and private sector experts have evaluated and critiqued the law since it was put in place, and it would be surprising — not to mention disappointing — if we could not come up with a better one today.