New Privacy Bills Introduced in Congress

House and Senate Hearings Focus on Database Security

The series of cases involving the loss or theft of personal consumer data from major companies made March a month of congressional hearings and the introduction of new legislation. And when lawmakers return to Washington next week after a two-week Spring break they are expected to renew their focus on privacy issues and consider how to act on a range of proposed new restrictions or requirements.

Major security breaches involving ChoicePoint, LexisNexis, and Bank of America were the focal point of hearings in the House and Senate. At the same time, five bills were introduced that would have an impact on users of databases, and prominent lawmakers are promising to introduce additional bills in the future.

While the spotlight is currently on identity theft, improving the security of databases, and restricting the use of Social Security numbers, legislation introduced in Congress contains provisions of concern to Kids in the Know members. Those measures, or others yet to be introduced, could also serve as vehicles for more sweeping and troublesome provisions.

New Restrictions Proposed

New legislation introduced in the House and Senate this month includes:

• Information Protection and Security Act (S. 500, H.R. 1080) -- Sen. Bill Nelson (D-FL) and Rep. Ed Markey (D-MA) introduced identical bills in the House and Senate to regulate information brokers and personally identifiable information. Besides several security-related provisions, the measures direct the Federal Trade Commission (FTC) to write regulations that, among other things, require list holders to reveal what information they have about an individual and tell which entities have used the information to them.

• Consumer Privacy Protection Act of 2005 (H.R. 1263) -- Rep. Cliff Stearns (R-FL), the Chairman of the House Subcommittee on Commerce, Trade, and Consumer Protection and a longtime privacy advocate, introduced a comprehensive bill. In addition to identity theft provisions, it would require list developers to notify consumers when information is collected, disclose who might use the information, and give them the opportunity to opt-out of any sale or disclosure of their information to third parties.

• Notification of Risk to Personal Data Act (H.R. 1069) -- Rep. Melissa Bean (D-IL) introduced a bill, which is similar to one introduced earlier by Senator Dianne Feinstein (D-CA) and an existing California law, that requires companies to notify consumers if there was a breach of security to the system. It applies only to the possible disclosure of Social Security, driver's license, credit card, or bank account numbers.

• Social Security Number Protection Act of 2005 (H.R. 1078) -- Rep. Markey, a senior member of the House Energy and Commerce Committee, also introduced a bill directing the FTC to draft regulations restricting the sale of Social Security numbers.

House and Senate Hearings

The U.S. Senate Committee on Banking, Housing, and Urban Affairs held hearings that featured testimony from the Chairman of the FTC, representatives of the Secret Service and the Comptroller of the Currency, executives of ChoicePoint and Bank of America, and several senators. The FTC Chairman also appeared before a hearing of the House Subcommittee on Commerce, Trade, and Consumer Protection, which also featured executives from ChoicePoint, LexisNexis, and a leading privacy advocate.

The testimony ranged from an analysis of the current level of security to proposals for new restrictions and laws. Notable comments and developments included:

• Rep. Joe Barton (R-TX), the powerful Chairman of the House Energy and Commerce Committee, testified at the House hearing that, "We're going to make some decisions about whether we need to set national standards" to protect consumers when their personal information is lost or wrongfully disclosed. In a statement, he also said he sees "...no socially redeeming value in anyone having the right to market or use Social Security numbers and other personal information without my approval."

• Senator Patrick Leahy (D-VT), the ranking Democrat on the Senate Judiciary Committee, testified that, "Consumers should know who has their data, what it is being used for, and how they can correct mistakes."

• Senator Jon Corzine (D-NJ) said he plans to introduce the Identity Theft Prevention and Victim Notification and Assistance Act, which, among other goals, would establish the FTC as the primary regulator of non-financial data collectors.

• Senator Chuck Schumer (D-NY), while not at the hearing, has been very vocal on this issue, saying he would introduce legislation to establish federal rules limiting who can provide or sell access to private information.

These bills follow the January introduction of three bills by Senator Feinstein. A Senate Judiciary Committee hearing is scheduled for April 13 on one of those bills, the Notification of Risk to Personal Data Act (S.115), which would require companies to notify affected individuals if there is a breach in their data system.

The most troubling Feinstein bill is the Privacy Act of 2005 (S. 116), which would require companies to notify consumers when they collect information, including telling them how the information may be used or transferred, and give them the opportunity to opt-out of the sharing of information with other entities. The third bill, the Social Security Number Misuse Protection Act (S. 29), would prohibit the sale or display of Social Security numbers to the public without individuals' knowledge and consent.

While it's far from certain how Congress will proceed, or what shape legislation may take and how sweeping it may be, it's clear that members of both parties are anxious to act.