BreachExchange mailing list archives
New data security proposal surfaces in Congress
From: Richard Forno <rforno () infowarrior org>
Date: Thu, 11 May 2006 12:56:00 -0400
New data security proposal surfaces in Congress By Anne Broache http://news.com.com/New+data+security+proposal+surfaces+in+Congress/2100-734 8_3-6071216.html Story last modified Thu May 11 09:45:04 PDT 2006 WASHINGTON--A new proposal in Congress would force anyone who possesses electronic personal data to report "major" security breaches to federal authorities before alerting consumers--or face hefty fines and even imprisonment. The 11-page House of Representatives bill aims to deter identity thieves and dismantle cybercrime operations, such as phishing scams, that swipe personal information. It was introduced this week by House Judiciary Committee Chairman James Sensenbrenner and backed by three Republicans and one Democrat. Because of inadequate enforcement tools, "the scope and frequency of cybercrime is growing rapidly and now includes many intentional criminal syndicates and is threatening our economy, safety and prosperity," said Rep. Howard Coble, the North Carolina Republican who presided over Thursday's hearing. This measure, called the Cybersecurity Enhancement and Consumer Data Protection Act, is part of a constellation of proposals in Congress that seek to respond to a slew of high-profile data breaches that became public during the last year or two. Proposed solutions range from notification of data breaches to restricting some uses of Social Security numbers. The Republican-backed bill would require "whoever owns or possesses data in electronic form" that contains personally identifiable information--such as a person's name, Social Security number, or date of birth--to inform the U.S. Secret Service or the Federal Bureau of Investigation within two weeks of discovering a "major breach." Those law enforcement officials could then decide to delay notification to consumers by as much as 30 days if they determine that disclosure would harm criminal investigations or national security. The bill defines "major breach" as any incident that involves personal information of 10,000 or more individuals, databases owned by the federal government, or personal data about federal employees or contractors involved in "national security matters or law enforcement." Refusing to comply with the rules could result in up to five years in prison or fines of $50,000 for each day that the intrusion is not reported--an idea endorsed by the Justice Department. Balking at penalties Critics have raised the question of whether criminal penalties are appropriate. In a letter to the Coble, Ken Wasch, president of the Software and Information Industry Association, questioned whether the establishment of a new crime for failure to notify when a breach has occurred is "an appropriate response to combating the pernicious effects of identity theft." Such a tactic inappropriately places the burden on companies and individuals hoping to safeguard data, not the criminals looking to exploit it, Wasch said. The bill differs from data security bills pending in other House committees in that it does not specifically require consumers to be notified directly of breaches. Susanna Montezemolo, a policy analyst for Consumers Union, urged politicians to "tread carefully" on the latest proposal. "The legislation does not address some of the broader consumer protection issues," such as requiring direct notification to consumers whose data has been compromised and letting them review and update their personal information periodically for accuracy, she said. Those omissions also prompted a lukewarm response to the bill from Rep. Robert "Bobby" Scott, the senior Virginia Democrat on the Judiciary panel. "Some tweaking of bill is desirable to clarify intent and application of some of its provisions," he said. Other data security bills already approved by House committees do contain more consumer-oriented requirements, and the Judiciary Committee's version appears likely to be combined with one or more of those proposals. But some of those other bills, particularly one voted out of the House Financial Services Committee in March, have also encountered criticism from consumer groups. They've said they're concerned that bill's approval would water down identity-theft protection by trumping arguably stronger laws already passed at the state level, particularly California. The Judiciary proposal focuses more on the law enforcement angle of cybercrime. In addition to the notification requirements, it would also expand the legal definition of current computer fraud laws to penalize those who unlawfully obtain personally identifiable information. It also attempts to outlaw illicit use of "botnets," defined in the bill as "the capability to gain access to or remotely control without authorization" computers belonging to financial institutions or involved in commerce. For offenders of those crimes, the bill proposes beefing up penalties to as many as 30 years in prison--rather than the existing maximum of 10- to 20-year sentences. That move received the Justice Department's endorsement but drew skepticism from Rep. Dan Lungren, the California Republican who heads a cybersecurity panel in the House Homeland Security committee. Lungren said he's concerned the bill focuses too heavily on prosecuting crimes that have already been committed and not enough on the consumer side of combating the problem. "What I'm concerned about it the lack of knowledge among consumers of what they can do to protect themselves...and I am one of those consumers," he said. The House hearing comes one day after President Bush met with identity theft victims at the White House and announced the creation of an identity theft "task force" chaired by the Attorney General and the chairman of the Federal Trade Commission. The FTC also launched its own identity theft education campaign in which it planned to dispatch videos and literature to "victim advocate" organizations for distribution to the public. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- New data security proposal surfaces in Congress Richard Forno (May 11)