Senate Panels Poised to Act on
Database Security Measures

Two key Senate committees are scheduled to meet Thursday and approve legislation dealing with database security and identity theft. Since the beginning of the year, lawmakers have felt an urgent need to act. There has been a steady drumbeat of reports on the loss of sensitive data by ChoicePoint and other companies, giving new prominence to the issue of databases and the impact of security breaches on consumers. 
 
Throughout the year, Kids in the Know has been working to ensure that lawmakers did not use the concerns about identity theft to pursue a more sweeping privacy-related agenda – such as enacting opt-in requirements, stringent notification requirements, and limits on children’s information – that would restrict the use of mailing lists.  As Senators coalesce around two bipartisan bills, it appears that the focus is, so far, remaining fairly narrow, although there are a few points of concern. 
 
Commerce Committee Bill

The Senate Commerce Committee will consider long-awaited bipartisan legislation, which should have a minimal impact on Kids in the Know members.  The lead sponsors of the bill, Senators Smith (R-OR) and Nelson (D-FL), joined by co-sponsors Senators Stevens (R-AK), Inouye (D-HI), McCain (R-AZ) and Pryor (D-AR), designed the bill to set national standards for notifying customers of data breaches, require businesses to improve their safeguards for sensitive consumer information, limit the solicitation of social security numbers, and, unlike other data notification bills, enable customers to freeze their credit reports to prevent identity theft. 
 
More specifically, if any sensitive personal information is lost or otherwise breached, and there is a reasonable risk that the information could be used for identity theft, the holder of that information is required to notify the consumers affected.

Under this bill, sensitive information means an individual's name, address, or telephone number combined with one or more of the following data elements: social security number, taxpayer identification number, or employer identification number, financial account number, or credit card or debit card number of such individual, state driver's license identification number or state resident identification number, consumer credit report, employee, faculty, student, or United States armed forces serial number, genetic or biometric information or Mother's maiden name. One potentially troubling aspect of the bill is a provision that allows the Federal Trade Commission (FTC) to redefine what constitutes “sensitive personal information.”

The bill also requires any business or nonprofit entity, including schools, that use sensitive personal information to develop, implement, and maintain an effective information security program that contains safeguards.  Entities must report data breaches affecting more than 1,000 individuals to the FTC and face penalties for failing to do so.
 
Judiciary Committee Bill

The Judiciary Committee is working on a separate track, and it is expected to consider and combine three bills on Thursday.  There is considerable overlap and some conflicts between the Commerce and Judiciary bills and these differences will need to be worked out prior to consideration by the full Senate.
 
The major bill before the panel is The Personal Data Privacy and Security Act of 2005, which has been introduced by Judiciary Committee Chairman Specter (R-PA), the ranking Democrat, Senator Leahy (D-VT), and Senator Feingold (D-WI).  It is the most aggressive of current identity theft legislation, with the most far-reaching requirements and penalties.  Many of its definitions are overly broad and vague.
 
The measure would create a new computer crime classification – aggravated fraud – that would add two years of additional jail time for obtaining or accessing another's digital ID; severely restrict the use of Social Security numbers as account identifiers or numbers and prohibit their sale; and hold company executives responsible if they hide a data breach.
 
This legislation defines “sensitive personal information” as a name in combination with almost any number, including date of birth.  It could require some Kids in the Know members to develop “data privacy and security programs,” notify individuals if their data has been compromised through a security breach, and allow individuals to see and alter their information.
 
The panel will also consider two different bills requiring notification of consumers if there is a security breach involving their information.  These measures – one introduced by Senators Feinstein (D-CA) and Kyl (R-AZ), and modeled on the existing California notification law, and another offered by Sen. Sessions (R-AL) – define personal information as a combination of name and Social Security, driver’s license, credit card, or bank account numbers, and similar sensitive date.  They would not affect most Kids in the Know members. 
 
Next Steps

At this time, it is unclear whether the panels will complete action on these bills this week, as lawmakers hurry to finish business and leave town for their month-long recess.  The Judiciary Committee, in particular, has already postponed consideration of these bills once, and it is facing a long list of other prominent priorities, including gearing up to consider a new Supreme Court nominee, renewing the Patriot Act, debating bills related to crimes against children and women, and many other matters.
 
Once the two committees approve their respective bills, they will need to reconcile differences before the full Senate can pass legislation.  That will give us another opportunity to recommend changes.  At the same time, leading lawmakers in the House have yet to agree on how to proceed on this complex issue.