Congress seeks to change legal landscape for data breaches

Recent large-scale data security foul-ups and identity thefts haven't gone unnoticed by lawmakers. The recent passage of data privacy legislation by two House committees increases the likelihood that Congress will approve a bill this year the will impose new requirements on data brokerage companies such as ChoicePoint Inc., LexisNexis Group and Acxiom Corp.

Both the Financial Data Protection Act of 2005 (H.R. 3997) and the Data Accountability and Trust Act (H.R. 4127) passed through committee by large, bipartisan margins of 48-17 and 41-0, respectively.

House bill 4127, which is derived from the House Energy & Commerce Committee version and was passed in March, requires notification only if the theft or loss of consumer data is judged to pose a "reasonable risk of identity theft to the individual to whom the personal information relates." The committee approved the "reasonable risk" standard after tougher language in a subcommittee bill that had a higher threshold of "significant risk."

Data brokers, however, prefer the "significant risk" language. In 2005, Deborah Platt Majoras, the chairman of the Federal Trade Commission, told the Senate Judiciary Committee "We are grappling with the issue of over-notification. We have learned that consumers become numb to too many notifications."

House bill 3997, approved by the House Committee on Financial Services, requires data brokers to notify law enforcement agencies and businesses that are in the transaction chain if a data security breach "may result in harm or inconvenience to any consumer." If the potential breach can result in financial fraud against consumers by causing harm or inconvenience, then the consumers must be notified through a uniform mailing.

The bills have important differences, but both address problems highlighted early in 2005 when the state of California's Security Breach Information Act (SB-1386) forced ChoicePoint and LexisNexis to disclose that identity thieves had pilfered data on more than 450,000 customers.

There are two additional bills passed last year by Senate committees that are intended to shore up corporate data security: the Personal Data Privacy and Security Act (S. 1789), and the Identity Theft Protection Act (S. 1408).

All four of the congressional bills contain a notification requirement based on a risk analysis. The California bill, and many of the 20-plus state bills which have followed in its wake, define a security breach requiring the company holding the data to alert the state, businesses and consumers, as "unauthorized acquisition of or access to computerized or other data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

There are no finite risk thresholds in the bills, which mean its uncertain how much data would have to be leaked or stolen before an organization would be obligated to issue notifications. But a staff counsel to the Center for Democracy and Technology noted that the existing California law has an exemption for theft of encrypted data. No notification is required in that instance.

It is also required in all four bills that data brokers adopt security standards that would be, in some cases, dictated by federal agencies. The Energy & Commerce bill requires data brokers to establish "reasonable procedures" to verify the accuracy of information that they collect and maintain:

In addition to common elements on notification and security standards in all four bills, each contain a variety of other provisions, including:

Granting consumers access to their personal data files

Giving consumers the ability to freeze their credit reports

Forbidding the solicitation, sale, or display of social security numbers

Requiring federal agencies to audit the information security practices of data brokers bidding for federal contracts

A LexisNexis spokesman declined to comment on the notification provisions in the various congressional bills. Spokespersons at ChoicePoint Inc. and Acxiom Corp. did not respond to inquiries.

A communications director for the Cyber Security Industry Alliance (CSIA) said his group has not endorsed either of those two House bills, nor the Senate bills.

"All the bills generally are headed in close enough to the right direction. We want a bill passed into law much more than we want to insist on one particular piece of legislation."

In fact, few proposed bills have as much bipartisan congressional support and as little significant interest group opposition as the data privacy bills, suggesting that a single, compromise version would be likely to land on President Bush's desk this year.