|
Yesterday, the Senate Judiciary Committee passed the Personal Data Privacy and Security Act of 2005 (S. 1789) sponsored by committee Chair Arlen Specter (R-PA), Ranking Democrat Senator Pat Leahy (D-VT), and Senator Feingold (D-WI). The bill passed with strong support of the committee by a 13- 5 vote.
The bill requires companies to provide notice of security breaches, enhances criminal penalties, and calls for protections against security breaches, fraudulent access, and misuse of personally identifiable information. Sen. Leahy said in a statement, “This bill will ensure that our laws keep pace with technology. In this information-saturated age, the use of personal data has significant consequences for every American. People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly.”
The bill has been modified since September, when we reported on many issues of concern, including the overly broad definition of “sensitive personal information” that included “any name or number used in conjunction with any other information to identify a specific individual.” While the bill that passed the committee contains a narrower definition of “sensitive personal information,” it would be harmful to Kids in the Know members were it to become law as is.
The legislation was spurred by issues earlier in the year concerning security breaches and theft of consumer information, particularly social security numbers, within banks and companies such as ChoicePoint. Therefore, “sensitive personal information” is first defined as an individual’s name in combination with their social security number, driver’s license number, passport number, or alien registration number.
However, “sensitive personal information” is also defined to include includes a person’s name in conjunction with their home address or telephone number, and month, day and year of birth, information that is commonly collected by many companies.
Bill Requirements Would be Burdensome, Costly
Should a business collect and store this “sensitive personal information,” they would then be required to implement a comprehensive personal data privacy and security program that includes safeguards appropriate to the “size and complexity of the business entity and the nature and scope of its activities” within one year. The program must be designed to ensure the safety and security of the records and protect against unauthorized access that could result in substantial harm or inconvenience to an individual. The business would then have to take steps to ensure employee training for implementation of the program, test for the program’s vulnerability, select and retain service providers who can maintain these security safeguards, and periodically monitor and evaluate the program.
The bill also requires that the company complete a risk assessment to identify current potential vulnerabilities, assess the likelihood of potential damage from unauthorized access, and the sufficiency of its policies and safeguards that are already in place.
Any business that violates these provisions would be subject to civil penalties of $5,000 per violation per day, with a maximum of $35,000 a day while violations persist. The company would also have to provide notice to individuals affected by a breach of a company’s database or list of names “without unreasonable delay” following the breach.
Companies may be exempt from providing notice to those affected by the breach if their “risk assessment” concludes within 45 days that the breach has not resulted in significant risk or harm to the individuals affected, and upon submitting to the Secret Service obtain a receipt of this decision within 10 days. This exemption may lessen the impact on Kids in the Know members from the requirements, though businesses would still have to comply with these burdensome administrative requirements until the Secret Service indicates they will accept this decision.
Kids in the Know will continue to work with the sponsor’s staffers on our recommended changes and keep you posted on any developments.
|
