Two senior U.S. Senators introduced a wide-ranging data protection bill Wednesday that would send officials from companies who do not disclose security breaches to jail for up to five years, and bring the RICO Act to bear on identity theft gangs.
As anticipated, Sen. Arlen Specter (R-Pa.), the chairman of the Judiciary Committee, and that committee's ranking member, Sen. Patrick Leahy (D-Vt.) rolled out the most aggressive bill yet in reaction to the wave of security gaffes that have exposed millions of Americans' identities since the first of the year.
Among its provisions, the Personal Data Privacy and Security Act of 2005 would create a new computer crime classification -- aggravated fraud -- that would add two years of additional jail time for obtaining or access another's digital ID; severely restrict the use of Social Security numbers as account identifiers or numbers; and hold company executives responsible if they hide a data breach.
"It's time for Congress to catch up with the data market and show the American people that we are aware of these threats and will protect the privacy and security of their personal information," Leahy said from the Senate floor Wednesday as he and Specter introduced the bill.
"Reforms like these are long overdue," Leahy added.
Both Leahy and Specter predicted quick passage of the bill, which is the first to sport a Republican as sponsor. Several other bills that take on the data exposure problem have come from several prominent Democrats, including Dianne Feinstein (D-Calif.) and Charles Schumer (D-N.Y.).
The legislation would:
-- Add new penalties to the books by extending computer fraud to cover unauthorized access of data brokers' systems (the statute already covers financial institutions and credit card issuers), meaning that criminals could face up to 10 years in jail; giving the government the power to invoke racketeering charges using the RICO statue to prosecute criminal gangs trading in identities; and putting company officials in prison for up to 5 years if they conceal a data breach.
-- Enact a bevy of new regulations that cover "data brokers," defined as business or non-profits "in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals." Among the regulations: data brokers would have to allow consumers the chance to change their information, and as with a credit report, receive a copy of that information at their request.
-- Require businesses not already covered by the Gramm-Leach-Bliley Act or HIPPA (Health Insurance Portability and Accountability Act of 1996) to create a data privacy and security program. That part of the Leahy-Specter bill also expands disclosure rules nationwide, and mandates that customers be informed of any security breach involving more than 10,000 people, or that revolved around a database with more than a million entries.
-- Limit the ways that Social Security numbers can be used as account numbers. This section also bans the sale of Social Security numbers, one of the data bits sold to fraudsters by ChoicePoint in 2004 and disclosed in February 2005.
-- And forces the General Services Administration (GSA) to review government contractors' the privacy and security programs before awarding contracts. This last item came from the recent news that the Internet Revenue Service had awarded a $20 million contract to ChoicePoint.
"It's especially galling to be rewarding firms that have been so careless with the public's confidential information," said Leahy on the floor. "We should at least take a pause before rewarding such missteps with even more government contracts."