A pair of overlapping U.S. Senate proposals aimed at reining in personal data use by the government and private sector earned approval from a key committee May 3.
The Senate Judiciary Committee passed The Personal Data Privacy and Security Act of 2007, S. 495, introduced by Chairman Patrick Leahy (D-VT) and Senator Arlen Specter (R-PA), along with the Notification of Risk to Personal Data Act, S. 1350, introduced by Senator Dianne Feinstein, (D-CA).
“[Our] bill deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place and also addresses the need to provide Americans with better notice of breaches that may affect their personal information,” Mr. Leahy said in a statement.
Ms. Feinstein said that the frequency of data breaches demonstrates that legislation is needed sooner rather than later. Major data breaches have occurred in recent months at the TJX Co., the U.S. Department of Agriculture, Johns Hopkins University, Boeing Co., the U.S. Department of Veterans Affairs and UCLA.
“This legislation would ensure that victims are informed promptly when a security breach occurs, so they can take the necessary steps to protect themselves from identity theft,” Ms. Feinstein said in a statement.
The bills, passed by voice votes, now move to the full Senate for consideration. Mr. Leahy and Mr. Specter’s effort is the more sweeping bill. A similar version of their bill was approved last year by the Senate Judiciary Committee but died before a floor vote. In the 109th Congress, Ms. Feinstein’s data breach notification measure was included as part of a data privacy bill that passed the Judiciary Committee but did not get Senate floor action.
The Feinstein bill, which focuses primarily on notification requirements for entities that experience breaches, was amended to mirror the content of the Leahy-Specter bill. Insiders said both bills were passed separately to improve their chances of getting through.
Among other provisions, S. 495 adds unauthorized access to sensitive personally identifiable information to the criminal prohibition against computer fraud and requires data brokers to let individuals know what information they have about them and, where appropriate, allow them to correct it.
The bill also provides tough monetary penalties for failing to provide privacy and security protections and notices of security breaches, and toughens criminal penalties for those who infiltrate systems to compromise personal data. It imposes a criminal penalty in the cases where there is intentional and willful concealment of a security breach known to require notice.
Several competing measures exist, such as the Identity Theft Prevention Act, which cleared the Senate Commerce Committee earlier this month. This bill prescribes notification requirements, prohibits collection of fees for credit freezes on identity theft victims, and instructs entities that handle sensitive personal information to have minimum security standards in place.
On May 1, Senator Tom Carper (D-DE) joined fellow Senate Banking Committee member Bob Bennett (R-UT) to introduce the Data Security Act of 2007, S. 1260, which requires entities to safeguard sensitive information and notify consumers of a security breach.
This Carper-Bennett bill requires institutions, such as financial establishments, retailers and federal agencies, to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud.
While each of these measures could have a significant impact on direct marketing and financial services firms, the most favorable bill to direct marketers is the Data Security Act of 2007, according to Steve K. Berry, executive vice president for government and consumer affairs at the Direct Marketing Association.
There hasn’t been a hearing on the bill the year, but Mr. Berry hopes that one is scheduled soon. He also said he expects a data security measure will be addressed by the full Senate by late summer.
“The banking bill is probably the best in our view,” Mr. Berry said. “The details of the language and how they treat Social Security numbers is most favorable to us.”
