Last week, Reps. Joe Barton, R-Texas, and John Dingell, D-Mich., the chairman and ranking minority member of the House Committee on Energy and Commerce, respectively, floated a draft bill requiring businesses engaged in interstate commerce to encrypt sensitive personal data.
The bill calls for data brokers to submit their security policies annually to the Federal Trade Commission for approval.
Broader than any other IT security proposal on Capitol Hill—including the latest Senate bill, the Personal Data Privacy and Security Act—the Barton-Dingell draft bill deals with the kind of government technology involvement most industries fear.
The IT industry, however, has become increasingly vocal on the need for Congress to act.
"The public has been crying out for help, and businesses have not responded," said Mike Gibbons, vice president of Federal Security Services for Unisys Corp., based in Philadelphia. "Its not a Chicken Little affair. I say the sky has already fallen; its just a matter of when a piece is going to hit you."
Definitions are a thorny issue in identity-theft legislation. Many details will likely be left to regulators, who will have to show nuanced technological understanding.
For example, a blanket mandate to encrypt sensitive data is not practical, but mandated encryption for data traveling over the Internet or backed up on tapes might make sense, industry experts say.
The Barton-Dingell draft bill would require companies holding sensitive data to hire an information security officer, and the bill sets up a national breach notification requirement, pre-empting state laws. If a breach could result in identity theft, the compromised company must provide a free credit report and a one-year subscription to a credit-monitoring service to potential victims.
"I intend to support tough legislation mandating enhanced security practices and swift and strong punishment for those who violate the law and harm consumers," Dingell said.
The latest proposal in the Senate focuses more on penalties than on technology mandates. It sets fines for failing to provide adequate security and strengthens criminal penalties for hackers and identity thieves, as well as anyone attempting to cover up a security breach. Companies that have personal data on more than 10,000 Americans would need to have privacy and security programs and screen third-party data processors.
The Barton-Dingell proposal will be aired at a hearing that the House Subcommittee on Commerce, Trade and Consumer Protection plans to hold in the near future.