Data breaches have been foremost on the mind of this Congress following the high-profile disclosures earlier this year from ChoicePoint Inc. and LexisNexis, a branch of Reed Elsevier Inc. The passage of breach notification laws in two dozen states spurred industry to press hard for a federal law pre-empting the states.
Just before the Thanksgiving recess, the Senate Judiciary Committee approved in a bipartisan vote the Personal Data Privacy and Security Act, authored by Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vt.
The bill requires companies holding personal data on more than 10,000 Americans to implement privacy and security programs.
Data brokers would have to let people know what information is held on them and provide an opportunity for people to correct false data. When there is significant risk of harm to an individual whose data is compromised, the data holder must notify the individual, law enforcement and credit reporting agencies.
"In this information-saturated age, the use of personal data has significant consequences for every American," Leahy said upon committee approval of the bill. "People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly."
Privacy advocates widely support the Specter-Leahy initiative, although many would like to see provisions added for better social security number protection and to give consumers the ability to freeze their credit reports.
Next year, Senators will negotiate to reconcile the Specter-Leahy bill with those in other committees. Over the summer, the Senate Commerce Committee passed its own data breach notification bill, the Identity Theft Protection Act, and the Senate Banking Committee is expected to take up a bill of its own as well.
In the House, the breach notification debate faced a tougher course this year, running into partisan divisions and turf battles among several committees. More than a dozen bills were introduced, but there remains considerable disagreement over the trigger for breach notification and the degree to which state laws should be pre-empted.
Republicans on the House Subcommittee on Commerce, Trade and Consumer Protection approved the Data Accountability and Trust Act in mid-November, but Democrats voted against it, arguing for a stronger measure.
As for spyware, the SPY BLOCK Act won the approval of the Senate Commerce Committee the week before Thanksgiving over the objection of Senators pushing for a more market-driven approach that is backed by industry.
SPY BLOCK requires disclosure to users when certain programs pose a threat to privacy, and it ensures that users have an easy way to uninstall spyware software.
Spyware "is one of those situations where we hear about it every time we go home," said Sen. Conrad Burns, who authored the bill. "Legislation will only be a small part of the solution, Ill guarantee you that."
Some privacy advocates and some in industry are urging Congress to enact a broader privacy law rather than addressing the matter on a technology-specific basis.
"Where does it stop, if you keep doing this sectorally?" said Ari Schwartz, associate director at the Center for Democracy and Technology in Washington. "You basically say to the consumer, get a lawyer if you want to protect your privacy, if we keep going down this path."