Concealing security breaches where personal consumer information may have been swiped could carry prison time under a pair of proposals that were reintroduced in Congress.
In the Senate, Sen. Patrick Leahy (D-VT), chairman of the Senate Judiciary Committee, and Sen. Arlen Specter (R-PA), ranking member of the same committee, introduced on Feb. 6 a revised version of their Personal Data Privacy Act that was approved by the Senate Judiciary Committee last year but died before a floor vote.
“Today, Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven’t kept pace,” said Sen. Leahy in a statement.
“This comprehensive bill not only deals with the need to provide Americans with notice when they have been victims of a data breach, but also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place,” he said. “Reforms like these are long overdue.”
Sen. Leahy also said the bill can serve as a model for states in enacting laws covering state-kept data.
The senators first proposed a broader version of the bill in 2005 after reports of high-profile breaches at ChoicePoint and LexisNexis, two major collectors of consumer information.
Since then, breaches at several other firms and within state and federal governments have exposed millions of Americans to identity theft by leaking or losing their personal data, which included names, addresses, and sometimes Social Security numbers.
According to the Privacy Rights Clearing House, since February 2005, more than 100 million records containing personal information have been subject to some sort of security breach.
Key features of the bipartisan legislation include:
· Increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data;
· Giving individuals access to, and the opportunity to correct, any personal information held by commercial data brokers;
· Requiring entities that maintain personal data to establish internal policies that protect the personal data of Americans;
· Requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; and
· Requiring the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.
Sen. Leahy, who has testified before congressional committees on this bill and the need for stronger privacy protections, has marked privacy issues as a high priority agenda item for the Judiciary Committee in the 110th Congress.
The committee’s first hearing this session was on the use of government databanks and data mining, and the need for stronger congressional oversight of that technology in order to strike a proper balance between Americans’ privacy and their security.
Meanwhile, in the House, Rep. Lamar Smith (R-TX) reintroduced his Cybersecurity Enhancement and Consumer Data Protection Act as part of a package of bills marketed as “America’s Law and Order Agenda.”
The bill would make it a crime, punishable by fines or up to five years in prison, to withhold information from the Federal Bureau of Investigation and the U.S. Secret Service about a “major security breach.”
In addition, the proposal would also require any stewards of information that experienced a breach to notify those investigative agencies within 14 days of discovering it and before telling any consumers about the incident. Failure to meet those requirements would result in fines of up to $50,000 a day.
The FBI and Secret Service, in turn, would also be allowed to delay notifying consumers if they decided such a practice would impede an investigation or threaten national security.
The bill would expand the definition of computer fraud laws to penalize those who obtain personally identifiable information without authorization and those who “conspire” to gain illicit access to machines.
It also attempts to outlaw illicit use of “botnets,” which the bill defines as “the capability to gain access to or remotely control without authorization” computers that belong to financial institutions or are involved in commerce.
Anyone convicted of those and other existing computer crimes could face up to 30 years in prison, as opposed to the current maximum of 10 to 20 years
The Feb. 6 actions mark the latest in a series of attempts by Congress this year to tackle leftover data security proposals.
Early last month, Sen. Dianne Feinstein (D-CA) reintroduced two bills: one that calls for national requirements for consumer notification in the event of data security breaches, and another that proposes restricting the sale, purchase and display of Social Security numbers.
