Data-privacy bills have moved closer to becoming laws on Capitol Hill this spring, reinvigorated by a fresh round of news about massive personal-data losses by retailers and government agencies alike.
  The U.S. Senate Judiciary Committee in May approved a pair of data-privacy bills that require businesses to notify consumers if their data are lost or stolen, though one of the bills creates an exemption if the breach involves only credit card numbers.
  The "Personal Data Privacy and Security Act of 2007," introduced by committee Chairman Sen. Patrick Leahy (D-Vt.) and Sen. Arlen Specter (D-Pa.), would require businesses that experience a breach to inform consumers, law-enforcement agencies and credit-reporting agencies.
  "This bill also provides for tough criminal penalties for anyone who would intentionally and willfully conceal the fact that a data breach has occurred when the breach causes economic damage to consumers," Leahy said in a statement.
  The bill also would require data brokers to disclose to individuals the data they have about them and allow them to correct the information if it is incorrect.
  Also in May, the committee passed another, less-restrictive bill sponsored by Sen. Dianne Feinstein (D-Calif.). The "Notification of Risk to Personal Data Act of 2007" would require businesses to notify consumers only if the breach results in a "reasonable risk" of harm.
  Feinstein's bill exempts notification if the only information stolen is credit card numbers and if the card issuer uses a security program designed to fight financial fraud. However, the bill requires breached organizations to notify customers if fraudulent transactions occur.
  "Victims of a security breach often don't even know that their personal or financial information has been compromised," Feinstein said in a statement. "Without that knowledge, individuals are left defenseless to identity thieves."
  Meanwhile, a bill passed in April by the Senate Commerce Committee, the "Identity Theft Prevention Act," would require entities that handle sensitive personal information to notify the public that a security breach has created "a reasonable risk of identity theft." The bill is sponsored by Sen. Ted Stevens (R-Alaska), Sen. Gordon Smith (R-Ore.), and Sen. Mark Pryor (D-Ark.). At C&P press time, each of the bills had moved to the full Senate for consideration.
  In the House, Rep. Barney Frank (D-Mass.), chairman of the House Financial Services Committee, said in a speech in February that he plans to introduce a bill that exempts notification if the data have been encrypted. No update on Frank's plans for the bill was available by C&P's deadline.
  A slew of various federal data-privacy bills introduced in different committees last year created a bottleneck that resulted in nothing getting passed, according to Fritz Elmendorf, spokesperson for the Community Bankers Association. This year may be different, but too many committees are still competing for jurisdiction, he says. "The judiciary, banking and commerce committees are all coming up with legislation trying to address data breaches," Elmendorf says.
  Banks already are required to disclose breaches, Elmendorf notes. But recent data breaches at merchants, government agencies and schools have reignited public and lawmakers' interest in farther-reaching privacy laws.
  (c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry