With data breaches happening almost every day, there's a lot of interest but little consensus on how new legislation can help protect consumer privacy online.
Lawmakers are trying to balance business interests with
consumer needs as they grapple with online security and privacy.
Federal officials appeared to be in broad agreement over the
need for data breach laws at the data security and privacy hearing held by the Senate
Commerce, Science and Transportation Committee
on June 29. The disagreements
appeared to be over reconciling consumer wants with companies who claim
"do not track" proposals and online privacy laws would hurt business.
There is "broad support" for a national standard on
data security, according to Sen. Pat Toomey (R-Penn), a ranking member of the
subcommittee. He said Congress was likely to pass some kind of a data security
bill "in the near future," but there wasn't a broad consensus on
general privacy issues.
"I'm sure no one on the committee wants to break the
Internet," Toomey said, arguing that new privacy regulations could hurt
Internet businesses and reduce the number of free online services consumers
There are currently three privacy and security bills making
the rounds in the Senate, including Sens. John Kerry (D-Mass) and John McCain's
(R-Ariz) Commercial Privacy Bill of Rights
, Chairman Jay Rockefeller (D-W.Va) and Sen. Mark Pryor's (D-Ark)
and Breach Notification Act, and
The bills were introduced during amid reports of
high-profile data breaches that have dominated the news in the first half of
"If nothing else, perhaps the frequency, audacity and
harmfulness of these attacks will help encourage Congress to enact new
legislation to make the Internet a safer place," Sony Network Entertainment
president Tim Schaaff said at the hearing.
Rockefeller said it was "high time" organizations
were prevented from doing whatever they wanted with personal details belonging
to consumers. Rockefeller's data security bill would require companies to have
security monitoring tools on their networks to prevent "reasonably foreseeable"
attacks. It would also require companies
holding personal information to have security policies on the collection and
use of the information as well as a clear process for erasing the data.
"I want ordinary consumers to know what's being done
with their personal information, and I want to give them the power to do
something about that," Rockefeller said during the hearing.
The breach notification rules in the data security bill
would also define how soon companies should inform users when their information
has been breached. Sony
recently came under fire for waiting
before disclosing their customers' credit card information was compromised.
Basic security safeguards and breach notification are
"a cost of doing business in the new world," Rockefeller said.
The Federal Trade Commission doesn't have an official
position on whether privacy bills are needed, FTC member Julie Brill said at
the hearing. However, the agency believes "do not track" requirements are
needed, even on mobile devices, Brill said. Even though major browsers,
including Internet Explorer, Firefox and Chrome, now offer a mechanism for a
universal opt-out, there is nothing mandating companies and advertisers to
honor those consumer requests and no way for the FTC to enforce compliance,
"Advertisers and ad networks are disparate. Unless you
get them to uniformly agree, I'm not sure a self -regulatory mechanism can work,"
Do-no-track legislation will make it easy for Web users to
stop all companies from tracking them online, Rockefeller said. "One
click, no information collected," he said.
Toomey questioned the need for letting consumers opt-out of
data collection, as outlined in the "Do Not Track" bill or the joint
Kerry-McCain privacy bill. "In a world where millions of people
voluntarily share very personal information on websites like Facebook and
Twitter on a daily basis, I'm not sure exactly what consumer expectations are
when it comes to privacy, but I am pretty sure different consumers have different
expectations," Toomey said.
A recent Consumers Union poll found that eight of ten
Internet users said they should be able to opt-out of Internet tracking from a
single location, similar to the mechanism proposed in the "Do Not
Track" bill. About two-thirds of the 1,007 households surveyed said the government
should be safe-guarding their privacy online.
"Although we live in an age of extensive sharing, very few
people would agree that every piece of information they transmit should be
available to everyone, for any conceivable purpose," Ioana Rusu, regulatory
counsel for Consumer Union said at the hearing.