Congress assesses data security proposals: a number of bills have been introduced in the Senate and House, but no further action is expected until later in 2006.

Americans demand security and privacy for their personally identifiable information. The establishment of new technology systems that allow for the easy access and transference of personally identifiable data between parties has raised concerns on Capitol Hill suggesting the need for additional safeguards.

Incidents of breach of sensitive personal information continue to rise. A 2003 survey of a one-year period by the Federal Trade Commission revealed that more than 10 million people had experienced identity theft in one form or another. Widely reported episodes of data breaches, such as those by Bank of America and Lexis-Nexis, serve as lessons to information brokers that the highest level of security is required to ensure that personally identifiable information is not compromised. These incidents have captured the attention of lawmakers, and a number of measures that aim to prevent data breaches have been proposed in the Senate and the House.

The Identity Theft Protection Act, S. 1408, is sponsored by a bipartisan group of senators and was voted out of the Senate Commerce, Science and Transportation Committee on July 28, 2005. S. 1408 would require covered entities (i.e., any commercial entity or charitable, educational, or nonprofit organization that acquires, maintains, uses, or disposes of sensitive personal information) to take reasonable steps to protect against security breaches and to prevent unauthorized access to sensitive personal information that the entity sells, maintains, collects, transfers, or disposes. To safeguard against authorized breaches of information, covered entities would be required to "develop, implement, and maintain an effective information security program that contains administrative, technical, and physical safeguards for sensitive personal information."

The bill directs covered entities to report security breaches affecting 1,000 or more persons to the Federal Trade Commission (FTC) and to any other appropriate regulatory body and to notify all relevant consumer reporting agencies of the breach. Covered entities are required to notify individuals if the breach would cause identity theft. S. 1408 allows consumers to place a security freeze on their credit reports in the event of a breach. The measure further directs the establishment of an Information Security Working Group to develop best practices to protect sensitive personal information.

According to senior congressional staff, provisions contained in S. 1408 allowing consumers to institute a credit freeze in the event of a security breach are creating tensions with other Senate committees. The Senate Banking Committee claims jurisdiction over the credit freeze provisions, and its inclusion is slowing consideration of the measure. Senate staff involved in the legislation indicate that there will be no further action on this bill until sometime later in 2006.

The Senate Judiciary Committee has also claimed jurisdiction over data security proposals. Senate Judiciary Committee Chairman Arlen Specter (R-PA) introduced the Personal Data Privacy and Security Act of 2005, S. 1789, in September. The measure was voted out of the Senate Judiciary Committee favorably on November 17.

S.1789 requires covered entities to design and implement security programs and requires that risk assessments of such systems be performed, similar to security requirements contained within the Sarbanes-Oxley Act. The measure also contains a provision directing covered entities to provide appropriate training to employees in securing information. S. 1789 is a far-ranging bill affecting any business that collects personally identifiable information that is not currently subject to Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley, or Health Insurance Portability and Accountability Act (HIPAA) regulation. The Specter bill would require a review of federal sentencing guidelines to allow a maximum penalty to be imposed on identity thieves and imposes financial penalties on data brokers for allowing data breaches to occur. The bill also outlines procedures for data brokers and consumers to follow to correct erroneous information contained in a personally identifiable record. The measure allows states to litigate enforcement actions. The measure has three bipartisan cosponsors as of this writing.

During the November 17 mark-up of S. 1789, panel members agreed that national legislation designed to combat data security was necessary, but there was disagreement on how to craft specific legislation. A point of contention among senators was over language in the bill referencing what kind of breach would trigger a notice requirement to consumers that their data was at risk. An amendment by Sen. Jeff Sessions (R-AL) and Sen. Jon Kyl (R-AZ) to narrow the definition for what kind of breaches would trigger customer notification from "risk of harm" to "significant risk of identification theft" failed on a tie (9-9) vote. Sessions had argued that the "risk of harm" standard was too broad and would impose too much of a burden on data brokers. The bill is expected to be considered on the Senate floor in 2006, where Sessions has indicated he has plans to introduce another 14 amendments, including provisions designed to preempt state data protection laws.

In October, Rep. Cliff Stearns (R-FL) introduced the Data Accountability and Trust Act ("DATA" Act), H.R. 4127. As of this writing, the legislation has eight cosponsors. The bill was reported out of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection favorably on November 3. The legislation is set for consideration by the full committee in 2006.

Upon passage of H.R. 4127 by the Commerce Subcommittee that he chairs, Stearns commented, "[t]his bill will help ensure that personal data are accounted for, secured, and actively protected against breaches by empowering consumers and businesses to promote the notion that security sells. Given the alarming rate of data breaches and the resulting identify theft epidemic, consumers are understandably questioning the security of using the Internet for commercial transactions."

The DATA Act would direct the FTC to promulgate rules requiring security for personal information that take into account the size, nature, and scope of the person's activities, the current state of technology, and the cost of implementing security procedures. The bill would require covered entities to have a security policy that details the "collection, use, sale, other dissemination, and security" of the data the entity collects and would require covered entities to appoint a point person in the organization to be responsible for maintaining information security.

The measure further requires any covered entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach and requires an independent audit of an information broker's security procedures following a security breach. The bill would preempt state data-security laws. In the event of a security breach, the measure provides that covered entities that have encryption programs and use other security measures have a rebuttable presumption against liability.

Several members of Congress have introduced a measure that seeks to specifically address brokers of personally identifiable financial data. The Financial Data Protection Act of 2005, H.R. 3997, was introduced on October 6 by representatives Steve LaTourette (R-OH), Darlene Hooley (D-OH), Michael Castle (R-DE), Deborah Pryce (R-OH), and Dennis Moore (D-KS). Eight additional cosponsors have signed on as of this writing. The House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing on the bill on November 9.

H.R. 3997 is designed to "prevent data breaches by mandating a national standard for the protection of sensitive information on consumers; require institutions to notify consumers of data security breaches involving sensitive information that might be used to commit financial fraud against them; and require institutions to provide consumers with a free six-month nationwide credit monitoring service upon notification of a breach." H.R. 3997, however, contains no provisions that would impose sanctions on covered entities who do not act to protect sensitive personally identifiable information.

There was much disagreement during the November 9 hearing on H.R. 3997 with several lawmakers, including Rep. Barney Frank (D-MA), expressing concerns that the measure does not go far enough to prevent security breaches. Frank serves as ranking member on the full committee. Subcommittee Chairman Spencer Bachus (R-AL) indicated that he wanted to work with all committee members to create consensus legislation that a majority of policymakers could support. Bachus indicated that the bill would be marked up in February 2006 at the earliest.