Congress Still AWOL on Data Breach Disclosures

In 2005 ChoicePoint was forced to admit it was duped into turning customer data over thieves. Almost 200,000 people were affected by ChoicePoint's data breach and Congress was riled.

But what got lawmakers really steamed was ChoicePoint's admission that if it had not been for California's then-new data breach disclosure law, the data broker would not have told any of the potential identity theft victims of the breach. With their usual flair, lawmakers introduced bills, held hearings and pontificated at length on the need for consumers to be informed when their personal information is compromised.

The Republican-controlled 109th Congress, though, ultimately did nothing about a national data breach disclosure law. Unfortunately, the Democrat-controlled 110th Congress is about to clock in with the same results.

Almost four years after the fact, Congress still piously rails against U.S. data breaches, holds high-profile hearings that play well back home and, ultimately, does nothing.

Data breach notification bills in both the House and Senate failed in the 109th largely because of jurisdictional disputes between various committees. Lawmakers also struggled with the trigger mechanisms for breach notification. Some favored notification when a "significant" risk of potential identity theft exists while others supported a "reasonable" risk standard.

In the 110th Congress, which hardly has a breath of life left in it, the same types of data breach disclosure legislation were introduced and met the same fate. Even Sen. Dianne Feinstein's bill to let retailers, data brokers and others determine the disclosure trigger failed to gain traction.

Everyone, it seemed, was worried about consumers getting too many notices that would lead them to ignore all warnings. Meanwhile, more than 40 states have passed some sort of data breach disclosure law, creating a hodgepodge of standards.

What is Congress waiting for? Surely it is not for the security industry to create magic bullets. It hasn't.

According to data released Oct. 6 by the ITRC (Identity Theft Resource Center), data breaches continue unabated at U.S. corporations, governments and universities, already surpassing last year's record 446 breaches. Through the end of September, the total number of data breaches recorded (PDF) by the ITRC was 516, averaging 57 breaches a month.

Instead of going forward, it seems we're going backwards.