The Senate Judiciary Committe has taken another step toward broad-based U.S. data privacy legislation, approving a pair of bills to tighten rules for notifying consumers about data breaches and increasing measures for securing data.
The Judiciary Committee approved last week the Data Privacy and Security Act of 2007, co-sponsored by Vermont’s Patrick Leahy and Pennsylvania’s Arlen Specter. The bill increases criminal penalties for data breaches and requires data brokers to let consumers know what information they have collected about them – and give consumers a chance to correct any information they feel is inaccurate. The Judiciary Committee also approved the Notification of Risk to Personal Data Act, sponsored by California Sen. Diane Feinstein, which mandates a national “trigger” for notifying consumers of a security breach that compromises their personal information and puts them at “reasonable risk.” There are several other pieces of privacy-related bills wending their way through the Senate and House, which the Center for Democracy and Technology summarizes nicely here.
Congress has been down this road before, with little to show for it. This is the second go-round for Leahy and Specter’s bill; it died during the last session of Congress without a floor vote. A lack of federal legislation has left individual states to create their own data privacy laws, and 35 have done so to date. The multiple state laws make compliance a bear for companies doing business across state lines, but critics have dinged earlier attempts at federal legislation for vague language or toothless mandates. Many agree, however, that the time is right for some type of broad-based national privacy law.
Data privacy is a tricky issue for federal legislators, who don’t want to take the teeth out of the individual state laws but are under increasing pressure to react to the spate of data breaches from the likes of TJX and many other companies, academic institutions and government agencies. The Privacy Rights Clearinghouse has an unnerving chronology of known data breaches since 2005 and keeps a running tally of the number of compromised records, which the group currently pegs at … drumroll please … 153,800,715.