November 5, 2009 – Eric Chabrow, Managing Editor
The Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.
The Personal Data Privacy and Security Act, or S. 1490, designates as fraud unauthorized access of sensitive personally identifiable information, which would lead to racketeering charges. The measure, sponsored by Committee Chairman Patrick Leahy (at left), D.-Vt., also would prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim.
The other measure, the Data Breach Notification Act, or S. 139, would require federal agencies and businesses engaged in interstate commerce to notify American residents whose personal information is accessed when a security breach occurs. An exception: if notification would hinder national security or a law enforcement investigation. S. 139, sponsored by Sen. Dianne Feinstein, D.-Calif., also would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement.
Among the objections raised by Sens. Jeff Sessions of Alabama, the committee’s ranking Republican, and Jon Kyl of Arizona, the Republican whip, focused on the provisions defining personally identifiable information (PII) to include an individual’s full name along with at least two of the following: the person’s birth date, home address, telephone number and mother’s maiden name.
Sessions said this information is available from other public records, such as a telephone directory, and would place an undue financial burden on businesses to notify customers of the breach if that was the only information exposed. Kyl said if the bill results in too many notices being sent, consumers might ignore them, similar to how the public views the orange alert on terrorism. “With frequent notices, customers may not worry about it,” he said.
Another objection raised by a few Republicans – a point dismissed by some of their Democratic colleagues – was the bankruptcy provision in the Leahy bill. The consensus of committee members was that a person victimized by identity theft should face bankruptcy but several GOP members worried that the provision might be used to get persons facing bankruptcy for other reasons off the hook if they also had their identities compromised.
Still, Leahy said the legislation, first introduced four years ago, is overdue, and the public is clamoring for it. He cited a Unisys study that contends more Americans are concerned about identity theft than the H1N1 virus or meeting their financial obligations. Since 2005, the year the bill was first proposed, more than 340 million records containing sensitive PII have been involved in data breaches, he said, citing a Privacy Rights Clearinghouse report.
“This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses,” Leahy said. “The president’s recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion. The FBI’s latest annual report on Internet crime found that online crime hit a record high in 2008 – a 33 percent increase over the previous year. This loss of data privacy is a serious and growing threat to the economic security of American businesses.”