Next Article in Business (10 of 32) >
The New York Times Business
Skip to article
NYTimes.com Welcome, vsauter2 - Member Center - Log Out
Business Home Media & Advertising World Business Your Money Markets Company Research Mutual Funds Stock Portfolio Columns

Data Security Laws Seem Likely, So Consumers and Businesses Vie to Shape Them

Published: November 1, 2005

It has been a bad year for data security.

The Privacy Rights Clearinghouse, a consumer advocacy group in San Diego, has counted 80 data breaches since February, involving the personal information of more than 50 million people. The sensitive data - names, Social Security and credit card numbers, dates of birth, home addresses and the like - have either been lost by or stolen from companies and institutions that compile such data.

Skip to next paragraph
ASK THE EXPERT
Marc Rotenberg, executive director of the Electronic Privacy Information Center, will answer questions about data security and privacy law. Questions can be sent to askbusiness@nytimes.com. Answers will be posted next week.
Multimedia

In February, ChoicePoint, the big data broker, raised public awareness of the problem when it announced that thieves had fraudulently obtained information on 145,000 consumers. In August, even the United States Air Force reported a data breach - a hacker may have gained access to a military management database and personal information on 33,000 officers.

In response, more than a dozen bills have been introduced in Congress this year.

Companies that compile, trade and store consumer data, while largely resigned to the idea that new legislation will hold them to a higher standard for security, want to minimize the impact of any new law, maximize their discretion when it comes to notifying consumers of breaches and limit their liability when they do spring leaks.

A bill introduced by Senator Jeff Sessions, Republican of Alabama, for instance, simply requires businesses to improve security on the data they carry and to notify consumers only if there is a "significant risk of identity theft."

But proving a "risk of identity theft" is nearly impossible, said Chris Jay Hoofnagle, senior counsel with the Electronic Privacy Information Center in Washington, a public interest research center.

Mr. Hoofnagle and other consumer and data privacy groups want strict new security standards that would require notification whenever data is inappropriately viewed or acquired.

They also want to give individuals the right to see and correct information that companies have collected on them and the ability to freeze their credit, that is, to prevent new credit accounts from being opened in their names without authentication.

Senator Charles E. Schumer, a New York Democrat, introduced a far-reaching bill earlier this year that addressed many of these points, but it failed to gain bipartisan support.

The existing batch of state laws - including California's data security notification law, which is largely credited with forcing companies nationwide to tell consumers about data breaches - also present a sticking point. The data brokering industry wants to ensure that any new federal law pre-empts state laws and limits the ability of states and individuals to sue in the event of a breach.

Consumer and data privacy groups, figuring that any law passed by Congress is likely to be less restrictive, want to preserve the ability of state and local governments to make and maintain tough laws.

"Industry hopes to use the furor over breaches as a way to pass a modest federal reform that just happens to also permanently restrict the states from passing virtually any financial privacy or identity theft laws," said Edmund Mierzwinski, the consumer program director for the United States Public Interest Research Group in Washington.

Whether any bill will pass this year is an open question, though the pressure is on. Just last week, 47 state attorneys general sent a letter to Congress urging the creation of a tough, far-reaching bill that would include many of the components that advocacy groups seek.

And on Wednesday, Representative Clifford B. Stearns, Republican of Florida, introduced the Data Accountability and Trust Act, which proposes tough new regulations for data brokers. The bill would force companies handling consumer data to, among other things, appoint a data security officer, draft explicit security policies and submit them to the Federal Trade Commission, offer consumers access to their own files and create a procedure for correcting errors.

The bill would also require companies to notify not just consumers of a breach, but also the F.T.C., which would then be permitted to audit the company's security program.

"But it needs better enforcement language," said Joseph Ansanelli, the chief executive and co-founder of Vontu, an information security company in California, who has frequently testified before Congress on issues of consumer privacy protection.

Mr. Ansanelli says the biggest problem with data security is the patchwork of laws governing too many narrowly sliced industries and too many different situations, when it is really all about the data.

"Confusion," he said, "is the enemy of consumer protection."

Advertisement

Most E-Mailed Articles