Congress assesses data security proposals: a number of bills have been introduced in the Senate and House, but no further action is expected until later in 2006.

• Author: Moye, Stacey
• Position: ON THE EDGE: The Use & Misuse of Information

Americans demand security and privacy for their personally identifiable information. The establishment of new technology systems that allow for the easy access and transference of personally identifiable data between parties has raised concerns on Capitol Hill suggesting the need for additional safeguards.

Incidents of breach of sensitive personal information continue to rise. A 2003 survey of a one-year period by the Federal Trade Commission revealed that more than 10 million people had experienced identity theft in one form or another. Widely reported episodes of data breaches, such as those by Bank of America and Lexis-Nexis, serve as lessons to information brokers that the highest level of security is required to ensure that personally identifiable information is not compromised. These incidents have captured the attention of lawmakers, and a number of measures that aim to prevent data breaches have been proposed in the Senate and the House.

The Identity Theft Protection Act, S. 1408, is sponsored by a bipartisan group of senators and was voted out of the Senate Commerce, Science and Transportation Committee on July 28, 2005. S. 1408 would require covered entities (i.e., any commercial entity or charitable, educational, or nonprofit organization that acquires, maintains, uses, or disposes of sensitive personal information) to take reasonable steps to protect against security breaches and to prevent unauthorized access to sensitive personal information that the entity sells, maintains, collects, transfers, or disposes. To safeguard against authorized breaches of information, covered entities would be required to "develop, implement, and maintain an effective information security program that contains administrative, technical, and physical safeguards for sensitive personal information."

The bill directs covered entities to report security breaches affecting 1,000 or more persons to the Federal Trade Commission (FTC) and to any other appropriate regulatory body and to notify all relevant consumer reporting agencies of the breach. Covered entities are required to notify individuals if the breach would cause identity theft. S. 1408 allows consumers to place a security freeze on their credit reports in the event of a breach. The measure further directs the establishment of an Information Security Working Group to develop best practices to protect sensitive personal information.

According to senior congressional staff, provisions contained in S. 1408 allowing consumers to institute a credit freeze in the event of a security breach are creating tensions with other Senate committees. The Senate Banking Committee claims jurisdiction over the credit freeze provisions, and its inclusion is slowing consideration of the measure. Senate staff involved in the legislation indicate that there will be no further action on this bill until...