Congress to Focus on Data
Security Legislation in 2006

As a new legislative year begins, it is a good time to review relevant legislation from 2005 and look ahead to what we expect to be an active period at both the federal and state levels. New data protection legislation has already been introduced in multiple states, and federal bills passed out of various committees at the end of last year have been placed on the Senate docket. While movement on these bills is not imminent due to Supreme Court nominee hearings and other legislative priorities, we expect to see action in the coming months.


Key Federal Legislation

Personal Data Privacy and Security Act (S. 1789) - The Senate Judiciary committee passed the most far-reaching data protection legislation, sponsored by Chairman Specter (R-PA), Ranking Democrat Sen. Leahy (VT), and Sen. Feingold (D-WI) last November. The bill requires companies to provide notice of security breaches, enhances criminal penalties, and calls for protections against security breaches, fraudulent access, and misuse of personally identifiable information. The bill contains elements that could be burdensome and costly for KITK members, and we will be working with the sponsor’s staffers as needed as this legislation progresses.

Notification of Risk to Personal Data Act (S. 1326) - Introduced in the Judiciary Committee by Sen. Sessions (R-AL), this legislation was approved in committee and sent to the Senate floor in late October. This bill requires businesses and organizations to notify consumers if there is a security breach involving their information and if they may be at risk of identity theft. This bill would not affect most Kids in the Know members, as sensitive personal information is defined as a person’s name, address, telephone number and social security number.

Identity Theft Protection Act (S. 1408) - Sen. Smith (R-OR) sponsored this legislation that passed out of the Committee on Commerce, Science, and Transportation late last year. It sets national standards for notifying consumers of data breaches, requires companies and nonprofits to improve their safeguards for sensitive consumer information, and enable consumers to put a freeze on their credit reports.

All three of the bills listed above have been placed on the Senate Legislative Calendar and await further action.


Other Federal Legislation

In addition to these bills, we reported on other legislation introduced in 2005 related to identity theft and data privacy.

Notification of Risk to Personal Data Act (S.751) - Introduced by Sens. Feinstein (D-CA) and Kyl (R- AZ), this bill would require Federal agencies and those engaged in interstate commerce, in possession of data containing personal information, to disclose any unauthorized acquisition of such information. It was referred to the Judiciary Committee.

Comprehensive Identity Theft Prevention Act (S. 768) - Sens. Charles Schumer (D-NY) and Bill Nelson (D-FL) introduced this legislation that focuses on increasing oversight of data brokers, requiring new security measures, and creating a new FTC office to help victims of identity theft. It was referred to the Committee on Commerce, Science, and Transportation.

Privacy Act of 2005 (S. 116) - Sen. Feinstein introduced this bill that would require companies to notify consumers when they collect information, including telling them how the information may be used or transferred, and give them the opportunity to opt out of the sharing of information with other entities. It was referred to the Judiciary Committee.

Social Security Number Misuse Protection Act (S. 29) - Also sponsored by Sen. Feinstein, this bill would prohibit the sale or display of Social Security numbers to the public without individuals' knowledge and consent. It was referred to the Judiciary Committee as well.

Information Protection and Security Act (S. 500, H.R. 1080) - Sen. Bill Nelson (D-FL) and Rep. Ed Markey (D-MA) introduced identical bills in the Senate and House to regulate information brokers and personally identifiable information. Both bills have been referred to their respective commerce committees.

Data Accountability and Trust Act (DATA) (H.R. 4127) - The House Subcommittee on Commerce, Trade and Consumer Protection passed this legislation introduced by Chairman Stearns (R-FL) and Rep. Pryce (R-OH), and it has been forwarded to the full Commerce committee for review. The bill would not have a significant impact on most Kids in the Know members, primarily because it limits its definition of “security breach” to the loss or theft of data when “there is a significant risk of identity theft to the individual.” It also defines “personal information” as a combination of name and “sensitive information” such as a person’s Social Security number, driver’s license numbers, and numbers associated with financial accounts.

Consumer Privacy Protection Act of 2005 (H.R. 1263) - Rep. Cliff Stearns (R-FL), a long time advocate of stiff privacy protection laws and the Chairman of the House Subcommittee on Commerce, Trade, and Consumer Protection, introduced this bill that would require list developers to notify consumers when information is collected, disclose who might use the information, and give them the opportunity to opt out of any sale or disclosure of their information to third parties. It was referred to the Subcommittee on Commerce, Trade and Consumer Protection.

Notification of Risk to Personal Data Act (H.R. 1069)- Rep. Melissa Bean (D-IL) introduced a bill, which is similar to an existing California law, that requires companies to notify consumers if there was a breach of security to the system. It was referred to the Subcommittee on Financial Institutions and Consumer Credit.

Social Security Number Protection Act of 2005 (H.R. 1078) - Rep. Markey introduced a bill directing the FTC to draft regulations restricting the sale of Social Security numbers. It was referred to the Subcommittee on Commerce, Trade and Consumer Protection.


In the States

Four states have already introduced data protection legislation in 2006 – Kentucky, Indiana, Nebraska, and New Hampshire. All are similar to the 2003 California data protection bill, and would not affect Kids in the Know members due to their definition of personal information (an individual’s first name or first initial and last name in combination with one or more of the following elements: social security number, driver’s license number, or account number or credit card number).

A policy analyst at the Consumers Union said of the situation, “Many states are starting to deal with the problem. A national solution is great if done the right way but it could actually set us back.”

In addition, Illinois’ data protection law, the Personal Information Protection Act, went into effect this month. The law, modeled after California’s law, requires businesses to report security breaches involving personal information. Upon signing the law, Gov. Blagojevich said it "can help individuals take steps to protect their assets and identities before thieves wreak havoc on their credit."

We will continue to monitor the legislation both in Congress and in the state legislatures and keep you informed on all future actions.