Debate Starts on Legislative Response

Article excerpt

WASHINGTON -- A wide range of industries united last week for the first time behind congressional efforts to require all businesses to secure consumer information and tell people if they could be harmed by a breach.

"When we started this process earlier this year, there was a lot of resistance" from business groups, Rep. Michael Castle told reporters last week. "That opposition has receded."

The Delaware Republican helped write a data security bill that was introduced Thursday and is now before the House Financial Services Committee. The legislation generally takes the narrower approach that the business community says it supports.

The business community announced its unified position in apparently coordinated letters sent Wednesday to the Senate Judiciary Committee, which is considering a broader data security bill.

But business groups expressed concern about extending the debate to other areas, including unlimited civil penalties for violations of security standards and allowing consumers to correct inaccurate information companies hold on them.

"We ... strongly endorse the prompt enactment of federal preemptive legislation that obligates all businesses that have custody of sensitive personal information to maintain adequate security measures and, as appropriate, to notify consumers of breaches," wrote the National Business Coalition on E-Commerce and Privacy, a group made up of 16 public companies including Eastman Kodak, General Motors, and Procter & Gamble.

But, the companies said, "It is critical that Congress focus on legislation that is narrowly targeted and does not migrate into unrelated issues that may cause unnecessary delay in the legislative process."

Senate Judiciary is scheduled to vote this year on a comprehensive bill sponsored by the committee's chairman, Arlen Specter, R-Pa.; its ranking Democrat, Patrick Leahy of Vermont; and Sen. Dianne Feinstein, D-Calif.

The legislation would set tough federal rules and increase civil and criminal penalties for companies that handle consumer information. It would give states authority to enforce the federal law, and allow them to legislate in other areas of data protection.

The bill would also let consumers correct inaccurate information companies hold on them, and give the Federal Trade Commission authority to establish new privacy restrictions on the corporate use of consumer information.

It further would require banks and other financial companies to comply with many of these new rules, in addition to the federal security requirements mandated for financial firms by the Gramm-Leach-Bliley Act of 1999.

That does not sit well with financial services firms.

"We believe there should be a very broad GLB-holding company exception to coverage under this bill which would apply to all GLB-covered entities," wrote the e-commerce and privacy coalition, which also includes such financial firms as MBNA, Fidelity Investments, and Charles Schwab. "Failure to do so would place these companies ... in the untenable position of being subject to a dual set of compliance obligations."

The Judiciary Committee was sent at least seven similar letters from the U.S. Chamber of Commerce and other groups representing industries including financial services, retail, technology, marketing, automotive, consumer products, and even photography. The letters all backed basic notification standards but gave detailed objections to dozens of other provisions.

The bill "goes well beyond providing breach notification and identity theft protection, and creates a complex regulatory scheme that will impact a broad range of businesses and a very broad range of information," the National Retail Federation wrote. …