Several bills to improve government data security and enforce notifications of data breaches are back on Congress' agenda, but privacy and security advocates say the proposed laws don't go far enough.
Sen. Dianne Feinstein (D-CA) has introduced two bills on data security.
One, the "Social Security Number Misuse Prevention Act," would set restrictions on the collection, sale, and display of Social Security numbers by third parties without the accountholder's consent.
The bill would set "some limitations" on businesses that request the number, according to Feinstein's office.
"If a person's Social Security number is compromised, the path to identity theft is a short one," Feinstein said. "We must ensure that government agencies and businesses take responsibility and protect Americans' Social Security numbers."
The Misuse Prevention Act contains exemptions for law enforcement, public health agencies, and businesses to collect and store Social Security numbers for credit and fraud checks, leading critics to say that the bill has too many loopholes to be effective.
The Misuse Prevention Act was co-sponsored in part by Sen. John Sununu (R-NH), who recently made waves himself by calling for legislation to prevent the FCC from forcing electronics companies to include "broadcast flags" in their products, designed to stop copying of content.
Individuals "Left Defenseless"
Feinstein's second bill, the "Notification of Risk to Personal Data Act," sets rules for businesses and agencies that collect personal data to notify individuals of a breach "without unreasonable delay."
The bill would require media notification in all circumstances, and Secret Service notification if the breach exceeded 10,000 individual records or one million database entries.
"Individuals cannot take the appropriate steps to protect themselves if they are not armed with detailed information about the breach," Feinstein said. "Without that knowledge, individuals are left defenseless to identity thieves."
However, the bill contains several significant exemptions.
First, law enforcement agencies that are hit with data breaches could delay notification if they deemed it to be a security risk.
Businesses can escape the notification law by performing "risk assessments" privately and sharing the results with the Secret Service.
And like many previous data security bills that made their way through Congress, Feinstein's bill preempts state laws, including California's, which is much more stringent than Feinstein's measure.
Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), said the bill's current draft "contains too many exceptions and too few rights for Americans whose personal information has been improperly released."
Privacy Is Not A Priority
Critics question whether Feinstein's bills will do much to cure cavalier attitude government and business displays towards the security of individuals' data.
Every data breach from the Veterans' Administration to Boeing follows a familiar pattern: A massive data breach takes place, the company or agency claims it is an isolated incident, claims to somehow discern that the thieves were after the hardware not the data, offers token credit monitoring services to the victims, and goes back to whatever it was doing.
In the case of the VA, The Hill newspaper recently exposed the agency's lack of concern for Congressional mandates to improve its data security and collection procedures.
An unidentified whistleblower provided the newspaper with taped meeting conversations, in which VA officials expressed disdain for the demands.
"If you want to know what's the real purpose of the data call, read Machiavelli. It's about power, it's about Congress saying, 'VA, you're accountable to us,'" Veterans Affairs official Dr. Joseph Francis is quoted as saying. "We're not asking people to do an A-plus job on this report."
So far Congress has largely left it up to government agencies to decide how to safeguard data.
A bill was introduced in the previous Congress by Rep. Tom Davis (R-VA) to "institute procedures" for agencies to follow in the event of a data breach -- but that was essentially all it did, without any specific guidance as to what those procedures might be.
And the passage of bills criminalizing "pretexting" -- the practice of gaining individuals' records using false pretenses -- in the closing days of the last Congress was soured by the exemptions granted law enforcement, which torpedoed previous attempts to pass anti-pretexting laws.