New data security proposal surfaces in Congress

[Richard Forno <rforno () infowarrior org>]

New data security proposal surfaces in Congress

By Anne Broache
http://news.com.com/New+data+security+proposal+surfaces+in+Congress/2100-734
8_3-6071216.html

Story last modified Thu May 11 09:45:04 PDT 2006


WASHINGTON--A new proposal in Congress would force anyone who possesses
electronic personal data to report "major" security breaches to federal
authorities before alerting consumers--or face hefty fines and even
imprisonment.

The 11-page House of Representatives bill aims to deter identity thieves and
dismantle cybercrime operations, such as phishing scams, that swipe personal
information. It was introduced this week by House Judiciary Committee
Chairman James Sensenbrenner and backed by three Republicans and one
Democrat.

Because of inadequate enforcement tools, "the scope and frequency of
cybercrime is growing rapidly and now includes many intentional criminal
syndicates and is threatening our economy, safety and prosperity," said Rep.
Howard Coble, the North Carolina Republican who presided over Thursday's
hearing.

This measure, called the Cybersecurity Enhancement and Consumer Data
Protection Act, is part of a constellation of proposals in Congress that
seek to respond to a slew of high-profile data breaches that became public
during the last year or two. Proposed solutions range from notification of
data breaches to restricting some uses of Social Security numbers.

The Republican-backed bill would require "whoever owns or possesses data in
electronic form" that contains personally identifiable information--such as
a person's name, Social Security number, or date of birth--to inform the
U.S. Secret Service or the Federal Bureau of Investigation within two weeks
of discovering a "major breach." Those law enforcement officials could then
decide to delay notification to consumers by as much as 30 days if they
determine that disclosure would harm criminal investigations or national
security.

The bill defines "major breach" as any incident that involves personal
information of 10,000 or more individuals, databases owned by the federal
government, or personal data about federal employees or contractors involved
in "national security matters or law enforcement."

Refusing to comply with the rules could result in up to five years in prison
or fines of $50,000 for each day that the intrusion is not reported--an idea
endorsed by the Justice Department.

Balking at penalties
Critics have raised the question of whether criminal penalties are
appropriate. In a letter to the Coble, Ken Wasch, president of the Software
and Information Industry Association, questioned whether the establishment
of a new crime for failure to notify when a breach has occurred is "an
appropriate response to combating the pernicious effects of identity theft."
Such a tactic inappropriately places the burden on companies and individuals
hoping to safeguard data, not the criminals looking to exploit it, Wasch
said.

The bill differs from data security bills pending in other House committees
in that it does not specifically require consumers to be notified directly
of breaches.

Susanna Montezemolo, a policy analyst for Consumers Union, urged politicians
to "tread carefully" on the latest proposal. "The legislation does not
address some of the broader consumer protection issues," such as requiring
direct notification to consumers whose data has been compromised and letting
them review and update their personal information periodically for accuracy,
she said.

Those omissions also prompted a lukewarm response to the bill from Rep.
Robert "Bobby" Scott, the senior Virginia Democrat on the Judiciary panel.
"Some tweaking of bill is desirable to clarify intent and application of
some of its provisions," he said.

Other data security bills already approved by House committees do contain
more consumer-oriented requirements, and the Judiciary Committee's version
appears likely to be combined with one or more of those proposals.

But some of those other bills, particularly one voted out of the House
Financial Services Committee in March, have also encountered criticism from
consumer groups. They've said they're concerned that bill's approval would
water down identity-theft protection by trumping arguably stronger laws
already passed at the state level, particularly California.

The Judiciary proposal focuses more on the law enforcement angle of
cybercrime. In addition to the notification requirements, it would also
expand the legal definition of current computer fraud laws to penalize those
who unlawfully obtain personally identifiable information. It also attempts
to outlaw illicit use of "botnets," defined in the bill as "the capability
to gain access to or remotely control without authorization" computers
belonging to financial institutions or involved in commerce.

For offenders of those crimes, the bill proposes beefing up penalties to as
many as 30 years in prison--rather than the existing maximum of 10- to
20-year sentences. That move received the Justice Department's endorsement
but drew skepticism from Rep. Dan Lungren, the California Republican who
heads a cybersecurity panel in the House Homeland Security committee.

Lungren said he's concerned the bill focuses too heavily on prosecuting
crimes that have already been committed and not enough on the consumer side
of combating the problem. "What I'm concerned about it the lack of knowledge
among consumers of what they can do to protect themselves...and I am one of
those consumers," he said.

The House hearing comes one day after President Bush met with identity theft
victims at the White House and announced the creation of an identity theft
"task force" chaired by the Attorney General and the chairman of the Federal
Trade Commission. The FTC also launched its own identity theft education
campaign in which it planned to dispatch videos and literature to "victim
advocate" organizations for distribution to the public.



_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/