More Bills on Data Theft: Differences Arise over Preemption, Notification

Article excerpt

WASHINGTON -- The Senate Commerce Committee plans to vote on a comprehensive data security bill by August, and it probably will let states set tougher rules, Sen. Gordon Smith said Thursday.

"We want to give the states elbow room, but it will set very high standards," the Oregon Republican said after a hearing where lawmakers and all five Federal Trade Commission members agreed that the government needs to help curb the increasing number of corporate security breaches that have exposed consumer data.

The bill, which Sen. Smith is drafting with Senate Commerce Chairman Ted Stevens, R-Alaska, and the committee's ranking Democrat, Sen. Daniel Inouye of Hawaii, is one on a growing list in Congress. Others are being developed in the Senate Judiciary, House Financial Services, and House Energy and Commerce committees.

Details on all the bills remain sketchy, but the centerpiece of the four measures is expected to be detailed standards about when and how data handlers must notify consumers that their information has been lost or stolen.

"Notification is the central question," Sen. Smith said. "We want to make sure that notification is triggered when it really does involve a threat to an individual's privacy. We don't want this to be so frequent that it amounts to junk mail when in fact it involves something very serious."

Lawmakers say the recent loss or theft of more than 9 million customer records at banks, data brokers, and other businesses has given them momentum to enact something this year or next.

"This needs to be one of the accomplishments of the 109th Congress," Sen. Smith told reporters. "I hope it is in this session and not the next, but it certainly will be the work of the 109th Congress."

Sen. Dianne Feinstein, D-Calif., who has introduced three data security bills being used as models for some of the committee bills, told the Commerce Committee that business interests are working against congressional efforts to tighten data security laws.

"We're fighting big businesses out there who make a lot of money on these databases and do not want the public to receive a notice that says 'We sell your data. ... May we have your permission to do so?' " she said. "Banks are buying more industries, and they want to be able to share this information with those industries."

She told reporters after the hearing that business lobbyists are exerting "tremendous power" to preserve the status quo.

"My understanding is Citigroup sells to some 2,000 other companies this database information, so they obviously have a vested interest. …