Before leaving for the Thanksgiving holiday, Senate panels approved bills on two data privacy issues that were debated all year—data breach notification and anti-spyware regulation—teeing them up for action next year.
Data breaches have been foremost on the mind of this Congress following the high-profile disclosures from ChoicePoint Inc. and LexisNexis early in the year. The passage of breach notification laws in two dozen states spurred the technology industry to press hard for a federal law pre-empting the states.
Just before the Thanksgiving recess, the Senate Committee on the Judiciary approved in a bipartisan vote the Personal Data Privacy and Security Act, authored by Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vt.
The bill requires companies holding personal data on more than 10,000 Americans to implement privacy and security programs. Data brokers would have to let people know what information is held on them and provide an opportunity for people to correct false data. When there is significant risk of harm to an individual whose data is compromised, the data holder must notify the individual, law enforcement and credit reporting agencies.
“In this information-saturated age, the use of personal data has significant consequences for every American,” Leahy said, upon committee approval of the bill. “People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly.”
Next year, senators will negotiate to reconcile the Specter-Leahy bill with those in other committees. Over the summer, the Senate Committee on Commerce, Science and Transportation passed its own data breach notification bill, the Identity Theft Protection Act, and the Senate Committee on Banking, Housing and Urban Affairs is expected to take up a bill of its own as well.
In the House, the breach notification debate faced a tougher course this year, running into partisan divisions and turf battles among several committees. More than a dozen bills were introduced, but there remains considerable disagreement over the trigger for breach notification and the degree to which state laws should be pre-empted.
Republicans on the House Subcommittee on Commerce, Trade and Consumer Protection approved the Data Accountability and Trust Act in mid-November, but Democrats voted against it, arguing for a stronger measure.
As for spyware, the SPY BLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act won the approval of the Senate Commerce Committee the week before Thanksgiving over the objection of senators pushing for a more market-driven approach that is backed by industry.
Privacy advocates are urging Congress to enact broader privacy laws rather than addressing the issue with specific technologies.
“Where does it stop if you keep doing this sectorally,” said Ari Schwartz, associate director of the Center for Democracy and Technology, in Washington.