Data Breach Bill Forthcoming, But Critics Find Fault
Companies would have to make data security breaches public, and those failing to tell consumers when they may be at risk of ID theft could face criminal prosecution, under a bill expected this week from Senate Judiciary Committee Chmn. Specter (Pa.) and Ranking Democrat Leahy (Vt.). The measure comes less than a week after MasterCard said a breach might have exposed 40 million credit cards to fraud. After a string of high-profile breaches involving ChoicePoint, Lexis Nexis and others, Congress and state legislatures have been inundated with proposals to clamp down on ID theft and tighten controls on entities that collect and distribute data.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The bill would up penalties for computer fraud when such fraud involves personal data and add fraud involving unauthorized access to personal information as a predicate offense for the Racketeer Influenced Corrupt Organizations (RICO) Act. It would criminalize intentional or willful concealment of security breaches involving personal data and give consumers access to -- and opportunities to correct -- personal data held by data brokers. The measure would require entities maintaining personal data to set internal policies to protect the sensitive material and vet 3rd-party processors -- steps some financial institutions have begun taking in recent months.
Under the bill, entities that maintain personal data would have to notify individuals and law enforcement when they experience breaches involving sensitive personal data, Leahy said during a Senate Judiciary Committee business meeting on Thurs. It would limit the buying, selling or displaying of a Social Security number (SSN) without consent from the person whose number it is, bar companies from requiring people to use SSNs as account numbers and limit the instances in which firms can force individuals to provide SSNs to obtain goods or services. Some companies, like Bank of America, have acted preemptively. This summer, the bank is phasing in a program that lets customers pick an image, write a brief phrase and select 3 challenge questions to add an extra level of security to transactions (WID May 27 p8).
The bill has implications for govt. and industry. It would bar govt. agencies from posting public records that contain SSNs on the Internet and would require that the govt. establish rules protecting privacy and security when it uses data broker information, to conduct audits of govt. contracts with data brokers and punish contractors that fail to meet data privacy and security policies. “Insecure databases have become low-hanging fruit for hackers looking to steal identities and commit fraud during a time when we are seeing a troubling rise in organized rings that target personal data to sell in online, virtual bazaars,” Leahy said.
At press time, a spokeswoman for Leahy said she wasn’t hopeful the bill would drop Thurs. Logistics still had to be worked out with Specter’s staff.
‘The Kind of Results We Need’ Aren’t There, Critics Say
The bill’s public disclosure portions eventually will have less impact, so the importance of the criminalization aspects cannot be understated, said security expert Bruce Schneier. Public shaming works as long as public shaming exists, he said. As firms report more incidents, media coverage will shrink and the public will hear less about them. “Identity theft is a problem but the entities that can solve it don’t care,” he said. Companies like Choice Point or CardSystems, the 3rd-party processor responsible for the latest and most wide-sweeping breach, don’t fret about consumers’ welfare, he charged. The risk of fines or jail time might encourage consumer protection, he said.
George Washington U. law prof. Jonathan Turley disagreed, saying criminal penalties for not disclosing breaches “will do little to turn the tide, due to other systemic problems.” ID thieves can open and close profitable phishing sites in 5 days, whereas shutting them down takes nearly 6, he told us. Most operations never are detected: “Until you increase the detection rate, there is not going to be effective deterrence,” Turley said.
Prosecutors “don’t want to waste their time on what they consider to be small cases,” where an average settlement might yield $800. District attorneys should be pressured by publicizing “hot zones” of ID theft activity such as the Bronx, but ultimately U.S. attorneys should prosecute these cases, he said. The govt. needs a “single, comprehensive federal initiative” led by a commission or task force that also funds state efforts and reports prosecution rates.
The bill’s other provisions don’t go far enough either, Turley said. A ban on posting records with SSNs online won’t address the 90% of the population whose SSNs are published in county public documents, he said. Making breaches a predicate offense for the RICO Act will work for “massive [criminal] gangs,” not individual thieves, who commit the vast majority of such crimes, he added. The Specter-Leahy bill is “good” but “it still doesn’t promise the kind of results we need.”
Schneier, however, lauded the bill for its attention to SSN protections, but he said legislation should go further by barring companies from selling all personal information. He said the SSN is a red herring and is “no longer the key to your identity” because hackers have the skills to circumvent SSNs to piece together accurate identifiers through names, phone numbers, addresses and other information. The U.S. really needs a comprehensive data protection act like the one that Europe enacted, he said: “I don’t think Congress has the balls to do that -- that would inhibit business and we have a Congress that pretty much universally places the interests of businesses over the interest of people.”
Former govt. cybersecurity adviser Howard Schmidt told us federal preemption of a patchwork of state laws is among the bill’s most important attributes. “We have to make this as clear as possible so people don’t have to go through 51 different iterations of regulations,” he said. Schmidt, who recently left his post as eBay’s vp-security, said the 2 sponsors have long been known for reaching out to industry, advocates and experts when crafting legislation. They're careful to consider unintended consequences while balancing those risks with consumer protection, he said.
Some lawmakers weren’t willing to comment on the bill before it dropped, but Rep. Berman (D-Cal.), the top Democrat on the House subcommittee charged with Internet and IP issues, told us the measure would provide privacy protection and “a framework of regulation an deterrence against sloppy practices.” In the increasingly digital world, state by state regulations just won’t do, nor will legislation that bows to pressure from big business. He said Specter and Leahy “aren’t flacking for the industry here.”
Feinstein’s Notification Bill Moves Forward
At the same committee meeting where Leahy voiced intent to introduce the legislation, members marked up a related bill sponsored by Sen. Feinstein (D-Cal.). Her S- 751 would notify consumers when personal data are breached. No exceptions would be made for “low-risk” breaches or encrypted data, she said. Consumers also could put themselves on a 7-year fraud alert (WID June 17 p1). “Day after day we hear about new data breaches, each one worse than the last,” Feinstein said, adding that Cal. residents and citizens of a few other states have the right to be notified when their data have been compromised. “Residents of New Hampshire, Vermont, and Mississippi deserve the same rights that Californians have,” she said. Sen. Kyl (R-Ariz.) agreed to cosponsor a modified version of Feinstein’s measure.
The modified version of the bill requires the federal govt. and businesses to notify individuals of a data security breach that has resulted in, or in which there is a significant risk of, harm to individuals. There are only 2 exceptions to immediate notification -- for law enforcement or national security purposes, officials said. The data covered include an individual’s name in combination with SSN, driver’s license or state issued ID number; financial account, credit card, debit card number with any required password or code; health information; or any other information regarding an individual deemed appropriate by the FTC.
Encrypted, unencrypted, electronic and non-electronic data are covered by the revised bill. The legislation stipulates that notification of a breach be provided in writing or by e-mail but electronic notification is only appropriate when an individual previously has consented to receiving e-mails from that agency or business. When a govt. agency or business fails to notify consumers about a security problem involving personal data in a timely manner, they would risk fines of up to $1,000 per individual whose personal data were, or are reasonably believed to have been, compromised, or no more than $50,000 per day while the failure to notify persists, the bill states. Injunctive relief also would be available, with state attorneys gen. able to bring civil action against businesses in federal or state court to enjoin them from violating, or to enforce, the bill’s notification requirements.
House Commerce Chmn. Barton (R-Tex.) is “in the final stages of crafting what he hopes will be a bipartisan plan to address many of the issues involving lost or stolen data,” a spokesman told us late Thurs. A nationwide notification standard plus severe restrictions on transactions involving SSNs will be included in the legislation, he said. Barton’s spokesman called it encouraging to see bipartisan support for kindred measures in the Senate, which could boost the chances that Congress can ultimately enact new legislation.