Debate continues on data privacy bill

The familiar problem of too many cooks in the kitchen will keep federal lawmakers from passing a personal data privacy and security bill this year.

Privacy proponents and other supporters say they had expected Congress to pass a bill quickly following widely publicized security breaches at ChoicePoint, LexisNexis and other high-profile data companies earlier this year.

But privacy advocates remain optimistic that lawmakers will approve national legislation in 2006 for protecting personal information and notifying people whose information is stolen or unlawfully obtained.

At least a half-dozen House and Senate committees are working on legislation to address problems of identity theft and unauthorized data access, which is slowing the legislative process, said Dan Burton, vice president of government affairs at Entrust, an information security company.

But people have stopped debating which committees have jurisdiction over data privacy and security, he added. Now they are arguing about what the legislation should and should not include.

Two topics in particular have generated partisan reactions, Burton said. Democrats and Republicans on the House Financial Services Committee disagree on whether federal law should pre-empt the data privacy and security laws in 21 states.

The two sides also differ on when companies should be required to notify people of unlawful access to their personal data. Burton said Republicans on the committee favor a federal law that would pre-empt all state laws and require notification only when a security breach poses a significant risk.

Many state laws offer stronger privacy protections than proposed federal laws, said Chris Hoofnagle, senior counsel at the Electronic Privacy Information Center, a public interest research center. Those who want to pre-empt state laws are "driven by a desire to prevent a stronger law rather than to bring up all the ships," he said.

Several competing legislative proposals contain what some industry officials call a safe harbor encryption provision. Burton said such a provision would let companies disregard any federal law's notification mandate if they encrypted the personal information in their databases.

Hoofnagle said he opposes writing technical specifications into law. "Mandating encryption might not always be a good idea," he said. "There might be more effective security mechanisms."

Most of the data security bills circulating in Congress require companies to establish information security policies and procedures and use an outside auditor to verify that they are effective.

"A year ago, if you had said the federal government is going to require security, industry would have been up in arms," Burton said. But the high-profile security breaches this year made many companies realize that mandatory security is not such a bad idea, he said.

Two provisions are unlikely to become part of any legislation passed next year, Hoofnagle said. One is a provision to apply the federal Privacy Act to commercial databases containing personal information. The other is a measure to safeguard Social Security numbers by preventing their unauthorized collection or disclosure.

Microsoft announced Nov. 3 that it supports comprehensive data privacy legislation that would let individual consumers gain access to and manage the personal information that companies collect online.

"We have a decent chance of having something happen in 2006," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, an industry policy group. "The sooner the better, given that we continue to see security breaches."