Federal lawmakers are eager to take action against the growing problem of data theft, but some security and privacy experts fear that the zeal to see legislation passed may result in a nationwide law that is weaker than state measures already in place.
Last week, U.S. Rep. Cliff Stearns, R-Fla., added the Data Security & Breach Notification Act to the mix of pending data theft measures. The bill has won the support of key House members but faces competition from a number of other measures, including a Senate bill already approved by the Commerce Committee and a bipartisan Senate Judiciary Committee bill.
The Stearns measure directs the Federal Trade Commission to set rules requiring security for personal data and gives consumers access to the information that is held on them. However, it does not address the governments use of commercial data, nor does it contain a provision on the rights of consumers to freeze their credit reports.
"As currently drafted, it leaves out some things wed like to see addressed," said David Sohn, staff counsel at the Center for Democracy and Technology, in Washington. "On pre-emption [of state data theft laws] and the trigger for [consumer] notice, some further discussions would be necessary."
The Stearns bill exempts a company from the notification requirement if it uses robust encryption and other key safeguards on the data, on the grounds that people dont need to know their data has been stolen if it cant be used. For many privacy and security advocates, a blanket exemption for encrypted data is unacceptable because weak encryption could be used and there is the potential for data thieves to steal an encryption key. In addition, some see a need for the government to know about breaches even when they dont warrant consumer notification.
In the Senate, the Personal Data Privacy and Security Act, authored by Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vt., enjoys considerable bipartisan support, but some in the security business see it as too weak to be effective.
"There are really no guidelines being set forth on how to enforce this," said Jim Stickley, chief technology officer at TraceSecurity Inc., a maker of security compliance software and services in Baton Rouge, La. In addition, Stickley said, any data theft legislation that excludes the financial and health care sectors—as the Specter-Leahy bill does—will be fruitless.
Stickley said he was asked to review the Specter-Leahy bill but that his suggestions for tougher enforcement met with little response. Unfortunately, he said, that bill may be replaced by a weaker version sponsored by other lawmakers.
"Theyre trying to get a bill out to say theyve done something," Stickley said. "Our concern is that this is more of a knee-jerk reaction."