September 26, 2005
The Senate Judiciary Committee is expected to vote this week on legislation that would mkae it a crime for data brokers to conceal a security breach involving consumer data. The measure adds teeth to legislation pending elsewhere in the Senate by providing for criminal prosecution.
A bill approved earlier by the Senate Commerce Committee requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of the breach resulting in identity theft.
Similar bills are pending in the House and a few states have begun regulating data brokers, though most of the state laws have yet to be tested.
Action by Congress is always a two-edged sword. Financial industry lobbyists are swarming over the Hill pushing for a federal statute that would undermine the toughest of the state laws.
Wall Street is worried about a patchwork of state and local laws and wants "a clear national standard," said Ira Hammerman, general counsel for the Securities Industry Association, a trade association.
Banks are pushing for regulations that would require notification of consumers only when a data breach involves data that could be used in identity theft -- name, address, Social Security number and account information -- as opposed to data breaches that involve only the customer's name and account information.
"Congress should focus on a uniform approach that is designed to protect consumers from actual harm," said Oliver I. Ireland, who testified on behalf of the American Bankers Association.
"It is not necessary to design a completely new system to address the issue," Ireland said. "The regulations that already apply to banking institutions offer policymakers both a model and a measure of experience to aid in establishing umbrella consumer protections that span all industries that maintain sensitive consumer information.
But Congress is also under pressure from consumer organizations who have pledged to expose any watering-down of basic protections to make life easier for big-bucks contributors.
Recent identity thefts involving Hurricane Katrina victims have enraged many voters and industry-friendly politicians are already feeling queasy about the issue. Louisiana officials said last week that identity thieves were preying on Katrina victims and in the process depriving them of federal assistance.
In one instance, scam artists posing as Salvation Army volunteers allegedly convinced New Orleans police officers to sign up for debit vouchers worth $5,000 each, thereby getting the officers' names, addresses and Social Security numbers.
State Laws
California was the first state to require that data brokers disclose data breaches but a judge last week refused to order Visa and MasterCard to notify consumers whose account information was compromised by faulty security procedures at CardSystems Solutions, a card payment processor.
New Jersey has just adopted tough new laws and other states are in the process of implementing measures to regulate data brokers.
Prior to the California disclosure law, data brokers admitted in testimony before Congress they simply did not inform consumers of data breaches and the resulting threat of identity theft.
In addition to making it a crime to conceal a data breach, the legislation before the Judiciary Committee limits the buying, selling or displaying of a Social Security number without prior consumer consent. It also bars government agencies from posting on the Internet public records that contain Social Security numbers.
Sen. Russell Feingold (D-Wis.) said the legislation also adds provisions to regulate the federal government's use of commercial data.
"While I believe the government should be able to access commercial databases in appropriate circumstances, there are few existing rules or guidelines to ensure this information is used responsibly," he said. The bill requires that federal agencies that subscribe to commercial data adopt standards governing the use of the data.
