Several U.S. Senators used a hearing on personal data security as a backdrop for legislative initiatives.
Shortly before testimony on electronic personal data security and government and commercial use started, Sens. Charles E. Schumer (D-NY) and Bill Nelson (D-FL) debuted the Schumer-Nelson Identity Theft Bill. The bill’s provisions seek to create an office of identity theft within the Federal Trade Commission, with a budget of $60 million per year for five years, strengthen and expand the FTC’s regulatory duties regarding the compiled information industry and create an assistant secretary for cyber security within the Department of Homeland Security.
Asked about the FTC’s reaction to the proposed identity theft office, Schumer said that he and Nelson had consulted with the organization.
“They haven’t taken a position yet,” he said. “We don’t want a partial approach, we don’t want a weak approach.”
During the hearing, Schumer asked FTC chair Deborah Platt Majoras about the Commission’s role in regulating data brokers. Majoras, who was less than certain when asked the same question last month in front of the Senate Banking, Housing and Urban Affairs Committee, confidently responded that the FTC does, in fact, have jurisdiction over data brokers through a patchwork of legislation.
But Schumer wanted Majoras to validate his newly introduced legislation. “One of the biggest complaints I have heard about is that people don’t know where to go or what to do,” he said. “When a car breaks down, you know where to go. When you are the victim of a burglary, you know where to go – the police station. But when you get your identity stolen, you don’t know where to go.”
Schumer continued: “What do you think, off the top of your head, of the idea of creating this office in the FTC of identity theft? We’ll fund it, obviously, we’d spend $60 million so that people would have a place to go with experts who could help them clear their name.”
“In my eight months on the job I don’t think I’ve ever turned down any additional funding, Senator,” Majoras replied. “Thank you.”
Schumer and Nelson’s bill, S. 768, would also regulate data merchants in a fashion similar to current regulation of credit bureaus. Regulatory efforts would include: Requiring data merchants to register with the FTC; instituting safeguards to prevent access by unauthorized parties; developing a customer authentication program; tracking records accessed, as well as the purpose they were used for; allowing customers to know which data merchants have their data, and establishing an error-correction process; setting accuracy standards for information kept by data merchants; and tightening regulations on the sale of credit header information by credit bureaus.
Furthermore, companies that collect sensitive personal information with the intent of selling or transferring that data would have it include a disclosure box warning consumers in “plain English” that their information may be sold or given to an unaffiliated third party without their consent.
Companies would have to notify consumers of data breaches. Consumers would have the option of requesting that their information be completely purged from the company’s database.
Companies would be required to take “reasonable steps” to protect the information they store, with the following additional provisions for Social Security numbers:
*Firms would not be allowed to ask for them unless the numbers are required in the normal course of business
*Firms would not be allowed to display them on employee identification cards
*Prisoners would not have access to them as any part of their prison jobs
*Firms would not be permitted to purchase or sell them, except for law enforcement, national security and fraud-prevention purposes
The bill requires that the FTC study national, state and local governments’ public postings of Social Security numbers and recommend ways to reduce their misuse; provide an annual report on identity theft; study international identity theft, and ways to combat it; and create a blue-ribbon working group, consisting of both consumer and industry representatives. This group would explore ways for private entities to protect public data.
The bill allows both the FTC and attorneys general to issue fines of up to $1,000 per violation.
During the hearing, Sen. Russ Feingold (D-WI) announced that within the next few days he will reintroduce his Data Mining Reporting Act legislation, which seeks to give transparency to government analysis projects. The Act would require all federal agencies to report to Congress how they use data mining programs to discover terrorist or criminal activity, as well as the impact they have on individuals’ privacy and civil liberties.
“We don’t know under what circumstances government employees can obtain access to these databases or for what purpose,” Feingold said. “We don’t know how government agencies evaluate the accuracy of the databases to which they subscribe, or how the accuracy level affects government use of the data. We don’t know how employees are monitored to ensure they do not abuse their access to these databases, or how those who misuse the information are punished.”
Feingold’s bill would not end funding for any program, or establish rules for the use of technology. But it would allow Congress to review the costs and benefits of data mining practices, and to issue judgments regarding which programs should and should not go forward.
Separately, Vermont attorney general William H. Sorrell, who is also the president of the National Association of Attorneys General, outlined suggestions for additional legislation. According to his testimony, Sorrell recommends:
Passing a federal security breach notification law that doesn’t supercede more protective state laws.
Enacting a federal program that regulates data brokers, again with the provision that it not preempt state laws.
Strengthening the Gramm-Leach-Bliley Act’s “safeguard rules” to include minimum standards for information security, and ensuring that these new rules cover data brokers.
Finally, companies would be prohibited from posting a publicly available document online that contains and individual’s name and private financial account number.
Network
