After months of headlines about lost and stolen consumer and employee data at banks, information brokers, retailers, and credit-card processors, it seemed inevitable that federal lawmakers would lay down new rules. Here they come.
Two senators last week proposed a bill mandating data-security management steps for many businesses and a nationwide standard for notifying consumers of security breaches. The legislation addresses the public's growing concern about identity theft; survey results released last week by Deloitte & Touche and the Center for Social and Legal Research indicate that 44 million Americans have been ID-theft victims.
The bill, introduced by Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would require companies that store information on more than 10,000 people to create a data-privacy and protection program, including assessing, maintaining, and controlling risks to data privacy and security. Businesses would have to provide employee training, perform vulnerability tests, and ensure that third-party service providers have adequate security programs.
Companies that engage in interstate commerce would have to notify anyone whose personal information, such as name, Social Security number, or date of birth, has been affected by a security breach.
The bill's data-privacy and security requirements are modeled after tougher guidelines that the Office of the Comptroller of the Currency began applying in March to the banks it regulates. The bill exempts financial institutions and some health-care entities because they're covered under existing laws such as Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act.
By creating a national notification standard, the bill might help companies now facing a patchwork of state laws. Eighteen states have adopted disclosure laws, most of them patterned after California's; the national law would preempt those laws.
The bill would give consumers the right to review and correct information collected by information brokers such as Acxiom, ChoicePoint, and LexisNexis, all of which have experienced data breaches. It prohibits, with certain exceptions, the display, sale, and purchase of Social Security numbers without an individual's consent. ChoicePoint in March stopped selling most information products containing sensitive consumer data.
The notification rule exempts companies from notifying consumers of a security breach if a risk assessment conducted with law enforcement determines the risk of fraud is minimal. A "fraud-prevention exemption" excuses companies from notifi- cation if compromised data can't be used to commit fraud or if the company has a security program reasonably designed to block its use for fraudulent transactions.
Those exemptions provide incentives for companies to strengthen security programs, while reducing the need to report every incident, such as a lost tape with encrypted data. "The thing this bill does that's wise, that some of the other data-security-breach notification bills don't do, is tie the trigger for notification to judgment of the likelihood of harm," says Emily Hancock, an attorney at Steptoe & Johnson, who advises large companies and financial institutions on data security.
Credit-card companies appear to favor the bill. Visa is studying it, a spokeswoman says, but believes provisions--such as extending security and privacy requirements to nonfinancial institutions, restricting use of Social Security numbers, and creating a national notification standard--have a lot of merit.