ID Theft Legislation ‘Good First Step’ but Could be Broader, Witnesses Say
A discussion draft of data protection legislation by the House Commerce, Trade and Consumer Protection subcommittee is generally a good first step, witnesses said Thurs. The draft strikes the right balance between high standards and flexibility for businesses, said TRUSTe Pres. Fran Maier. Other witnesses agreed with her assessment, but also said the bill could use additions and clarifications. The hearing was held to gain input on the subcommittee draft.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
ID theft and data breaches have “haunted us for too long,” said Rep. Towns (D N.Y.), and the time has come to act. Subcommittee Chmn. Stearns (R-Fla.) noted the proposed legislation includes: (1) A mandate for the FTC to create rules for data security. (2) A requirement for data brokers to submit security policies to the FTC yearly. (3) Establishment of a national policy for consumer data breach notification.
The subcommittee should focus on misuse, not ID theft, said Chris Hoofnagle, Dir. of Electronic Privacy Information Center’s (EPIC) West Coast Office. “Identity theft is not the only risk of data security breaches,” he said, citing cases where stolen personal data has been used for extortion or stalking. The bill should have a provision for audit trails, which investigators can use to learn who has had access to data, he said. Audit trails work better to deter insider data theft than encryption does and also cut the time it takes to find where and when a breach occurred, he said. Entrust Govt. Affairs Vp Daniel Burton endorsed the need to audit a company’s entire security policy, but Maier and Microsoft attorney Michael Hintze said while audit trails are important, the issue might not be appropriate for broad federal law and could be addressed in FTC rulemaking.
Federal preemption is important, witnesses agreed, but state attorneys gen. need to be empowered to enforce the U.S. law, they said. State AGs play a “vital” role in enforcement and Microsoft supports a clarification in the law similar to language in anti-spam legislation letting state AGs sue in U.S. courts, said Hintze. There should be a lot of support for federal preemption, he said, because companies are looking to the bill to provide a regulatory baseline.
The legislation should represent a statutory floor, not a ceiling, said Hoofnagle. States should be able to write laws whose strictures exceed those in federal legislation now in draft when new problems arise, he said. Questioned by Stearns about whether this would prompt a wave of state laws that must be preempted, Hoofnagle said most federal privacy legislation preempts state law at a floor level and hasn’t produced a wave of state laws. “When Congress does a good job, states tend not to try to pass conflicting responses,” he said.
The bill gets a lot right, but needs 3 more provisions, said Burton. The law should engage corporate executives in data security, ensuring they view “information security as a key component of their business plans and not just another burdensome technology issue,” he said. He also wants a safe harbor for firms that encrypt data. He suggested the bill’s definition of encryption reference the National Institutes of Standards and Technology (NIST) encryption standard. Many entities storing personal data don’t keep data safe “either by choice or because they don’t understand how to” and won’t secure data without federal guidelines, Burton said.
The panel should ensure firms aren’t burdened by excess regulation, said Rep. Blackburn (R-Tenn.). The bill needs to account for a business’s size and sophistication as well as sensitivity of the data it holds, Hintze said. Microsoft might support an exception, he said, for businesses handling small amounts of data, such as fewer than 5,000 files a year. The focus should be on data, not who holds it, Burton said. A small business storing large amounts of personal data should be held accountable for breaches, he argued. Risk grows when private data are commingled with public identifiers, Burton said. It’s important to put all entities collecting data under the law’s jurisdiction, Maier said: “Consumers are going to feel violated” anytime their personal data is compromised.
Meanwhile, ID theft legislation moved a step closer to law Thurs. when the Identity Theft Protection Act (S- 1408) won approval in a full Senate Commerce Committee markup session. Sen. Dorgan (D-N.D.) introduced the only change to the bill at the markup, sponsoring an amendment barring sale of Social Security numbers. The bill, which includes provisions for federal preemption and empowers state attorneys general to sue in federal court, would require all entities holding sensitive data to comply with existing FTC rules and provide notice of data breaches. It also would let consumers freeze their credit in event of a breach -- a matter not discussed in the House hearing. - Tom Wonder