Sen. Dianne Feinstein, D-CA, has introduced two bills aimed at protecting individuals from identity theft. One would require businesses to notify consumers in the event of a security breach. The other would prohibit the sale or display of a person’s Social Security number without his consent.
S. 239, The Notification of Risk to Personal Data Act, would require federal agencies and people engaged in interstate commerce in possession of data containing sensitive, personally identifiable information to disclose any breach of such information. S. 238, the Social Security Number Misuse Prevention Act, would limit the use of Social Security numbers and establish criminal penalties for misuses. The bills were introduced Jan. 10 and referred to the Judiciary Committee. The Direct Marketing Association supports the bills, especially S. 239.
“The data breach bill is pretty straightforward and similar to some of the legislation that was introduced last year,” said Stephanie Hendricks, a DMA spokeswoman. “It has the things we have been supporting all along. It creates a national standard, it appears to be targeted at the sensitive information that would put somebody at the risk of identity theft and it has a trigger for notification when there is a real risk to the consumer.”
The increased frequency of data breaches shows that legislation is needed quickly, the senator said. Breaches have occurred in recent months at Boeing, UCLA, the Colorado Department of Human Services, Starbucks, the Chicago Voters’ Database and Akron (OH) Children’s Hospital.
The senator, who chairs the Judiciary subcommittee on terrorism, technology and homeland security, said she intends to hold a hearing on the legislation early in the 110th Congress.
In the 109th Congress, her data breach notification measure was part of a comprehensive data privacy bill that passed the Judiciary Committee on Nov. 17, 2005, but did not get Senate floor action.
However, details remain to be worked out in the bill, Ms. Hendricks said, and other data breach bills probably will be introduced, so a compromise is likely. This was the first bill introduced in the 110th Congress regarding data breaches.
“We hope Congress does get a bill passed this year,” she said. “We really want that to happen. We really want a single national standard.”
As for S. 238, Ms. Hendricks said the bill is a little more complex, though the DMA is supportive of efforts to combat identity theft. But with any Social Security number bill, “you need to be sure that the protections don’t inadvertently make it harder to prevent fraud,” she said. “This is the key issue for us: You have to balance the protections because sometimes Social Security numbers are the way you verify the identity of someone. Sometimes fraud prevention involves getting the Social Security number, not just limiting it.”
The Notification of Risk to Personal Data Act would:
• Require a federal agency or business entity to notify an individual of a security breach involving personal data without unreasonable delay.
• Allow limited exemptions for law enforcement and national security reasons.
• Require media and individual notice.
• Notice must include description of the type of personal data breached and a toll-free number to call for more information.
• If more than 1,000 individuals must be notified, then the company or agency must coordinate with credit reporting agencies.
• Require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached contains more than 1 million entries or is owned by the federal government.
• Authorize the U.S. attorney general and state attorneys general to bring civil actions.
• Supersede conflicting federal or state laws.
The Social Security Number
Misuse Prevention Act would:
• Prohibit the sale or display of an individual’s Social Security number to the general public without the individual’s consent.
• Prohibit federal, state and local government agencies from displaying Social Security numbers on public records posted on the Internet or issued to the general public through CD-ROMs or other electronic media, or from printing them on government checks.
• Prevent the employment of inmates for tasks that would give them access to the Social Security numbers of other individuals.
• Limit when a business can ask a customer for his Social Security number.
• Require a study of the current uses of Social Security numbers and the effect on privacy and data security.
• Include both criminal and civil penalties.