Complain about a product or service

Congress Takes On Data Security

Critics Say Bills Don't Do Enough to Hold Business & Government Accountable

By Martin H. Bosworth
ConsumerAffairs.com

January 12, 2007

Data Theft • 68,000 CalOptima Members at Risk in Data Breach • Express Scripts Extortion Scheme Widens • Technology Could Be Key To Stopping Unauthorized Charges • T-Mobile: No Hacking in Data Breach • T-Mobile Confirms Data Breach • Consumers Increasingly Concerned About Online Transactions • Are Identity Theft Services Worth the Cost? • Online Tools Help Spot Financial Fraud • Financial Fraud Hits 7.5 Percent Of Americans In 2008 • Feds Charge Mortgage Broker In Potential Data Breach • Millions of Credit Cards Exposed in Data Breach • 2008 Data Breach Total Soars • Bank Data Breach Threatens 248,000 in North Carolina • GPS Not Foolproof • Countrywide Warns Millions of Data Breach • Thieves Steal AT&T Laptop with Employee Data • Report: Data Breach Disclosure Laws Don't Affect Identity Theft • Patient Information Exposed in Data Breach at Walter Reed • Supermarket Chain Reports Data Breach • Report: Feds Still Not Doing Enough To Secure Data • Data Thieves Hit Georgetown University Students, Faculty • 800,000 Job Seekers At Risk In Gap Data Breach • TJX Data Breach Settlement Has Strings Attached • More ...

Several bills to improve government data security and enforce notifications of data breaches are back on Congress' agenda, but privacy and security advocates say the proposed laws don't go far enough.

Sen. Dianne Feinstein (D-CA) has introduced two bills on data security.

One, the "Social Security Number Misuse Prevention Act," would set restrictions on the collection, sale, and display of Social Security numbers by third parties without the accountholder's consent.

The bill would set "some limitations" on businesses that request the number, according to Feinstein's office.

"If a person's Social Security number is compromised, the path to identity theft is a short one," Feinstein said. "We must ensure that government agencies and businesses take responsibility and protect Americans' Social Security numbers."

The Misuse Prevention Act contains exemptions for law enforcement, public health agencies, and businesses to collect and store Social Security numbers for credit and fraud checks, leading critics to say that the bill has too many loopholes to be effective.

The Misuse Prevention Act was co-sponsored in part by Sen. John Sununu (R-NH), who recently made waves himself by calling for legislation to prevent the FCC from forcing electronics companies to include "broadcast flags" in their products, designed to stop copying of content.

Individuals "Left Defenseless"

Feinstein's second bill, the "Notification of Risk to Personal Data Act," sets rules for businesses and agencies that collect personal data to notify individuals of a breach "without unreasonable delay."

The bill would require media notification in all circumstances, and Secret Service notification if the breach exceeded 10,000 individual records or one million database entries.

"Individuals cannot take the appropriate steps to protect themselves if they are not armed with detailed information about the breach," Feinstein said. "Without that knowledge, individuals are left defenseless to identity thieves."

However, the bill contains several significant exemptions.

First, law enforcement agencies that are hit with data breaches could delay notification if they deemed it to be a security risk.

Businesses can escape the notification law by performing "risk assessments" privately and sharing the results with the Secret Service.

And like many previous data security bills that made their way through Congress, Feinstein's bill preempts state laws, including California's, which is much more stringent than Feinstein's measure.

Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), said the bill's current draft "contains too many exceptions and too few rights for Americans whose personal information has been improperly released."

Privacy Is Not A Priority

Critics question whether Feinstein's bills will do much to cure cavalier attitude government and business displays towards the security of individuals' data.

Every data breach from the Veterans' Administration to Boeing follows a familiar pattern: A massive data breach takes place, the company or agency claims it is an isolated incident, claims to somehow discern that the thieves were after the hardware not the data, offers token credit monitoring services to the victims, and goes back to whatever it was doing.

In the case of the VA, The Hill newspaper recently exposed the agency's lack of concern for Congressional mandates to improve its data security and collection procedures.

An unidentified whistleblower provided the newspaper with taped meeting conversations, in which VA officials expressed disdain for the demands.

"If you want to know what's the real purpose of the data call, read Machiavelli. It's about power, it's about Congress saying, 'VA, you're accountable to us,'" Veterans Affairs official Dr. Joseph Francis is quoted as saying. "We're not asking people to do an A-plus job on this report."

So far Congress has largely left it up to government agencies to decide how to safeguard data.

A bill was introduced in the previous Congress by Rep. Tom Davis (R-VA) to "institute procedures" for agencies to follow in the event of a data breach -- but that was essentially all it did, without any specific guidance as to what those procedures might be.

And the passage of bills criminalizing "pretexting" -- the practice of gaining individuals' records using false pretenses -- in the closing days of the last Congress was soured by the exemptions granted law enforcement, which torpedoed previous attempts to pass anti-pretexting laws.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Share		Follow us on Twitter.

Back to the top |