House Panel Moving on
Database Security Measure
Senate Bills Await Action

When Congress adjourned for a month at the end of July, lawmakers in both the House and Senate expected to move quickly after Labor Day on database security and notification bills. But hurricane Katrina and the confirmation hearings for a new Supreme Court Chief Justice have delayed movement somewhat, and may stretch out consideration throughout the fall.

House Bill to Take First Steps Next Week

Throughout August the staff of the House Energy and Commerce Committee worked on refining draft legislation which they now plan to formally introduce next week. The panel’s Subcommittee on Commerce, Trade and Consumer Protection hopes to pass some version of that bill next week as well.

The draft legislation being circulated, called the Data Accountability and Trust Act (DATA), would not have a significant impact on most Kids in the Know members. This is primarily because it limits its definition of “security breach” to the loss or theft of data when “there is a significant risk of identity theft to the individual.” It also defines “personal information” as a combination of name and such sensitive information as a person’s Social Security number, driver’s license numbers, and numbers associated with financial accounts.

One point of concern is that the bill authorizes the Federal Trade Commission (FTC) to broaden the definition of “personal information.” It will also most likely include some data security requirements for all data brokers. Some consumer groups are pushing to require greater reporting to the FTC of the loss or unauthorized acquisition of data, even if there is no harm to consumers.

The Subcommittee will make changes to the draft now under consideration, and the details could have implications for more data users. The measure is also expected to go through further revisions prior to consideration by the full Committee.

Next Steps in the Senate

The Senate Commerce Committee approved a major database security and identity theft bill on July 28, and is now waiting for other panels to weigh in on areas where they have jurisdiction. The Senate Judiciary Committee has repeatedly postponed action on the issue due to Supreme Court nomination hearings and other matters.

The main legislation it hopes to consider soon is the Personal Data Privacy and Security Act of 2005, which was introduced by committee Chairman Arlen Specter (R-PA), Ranking Democrat Senator Pat Leahy (D-VT), and Senator Feingold (D-WI). Much of the measure deals with criminal penalties. The main issues of concern to Kids in the Know members are:

• Notifying consumers of a security breach would only be required if “sensitive personal information” is lost or stolen, but “sensitive personal information” is broadly defined to include “any name or number used in conjunction with any other information to identify a specific individual.”

• Companies are required to implement a “comprehensive personal data privacy and security program,” but the program can be “commensurate with the sensitivity of the data.”

• Database holders are also required to disclose to individuals, for a “reasonable fee,” what information they have about them and allow the person to make corrections. They can however terminate the request if they deem it to be “frivolous or irrelevant.”

After the Judiciary Committee considers this and other notification bills, which are similar to California’s law, they will begin the process of combining it with the Commerce Committee’s bill before the full Senate can consider it.