[Infowarrior] - Accountability Is Key Goal of Privacy Legislation

[Richard Forno]

Accountability Is Key Goal of Privacy Legislation
Rep. Frank Wants Added Protections for Consumers
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/01/AR2007020100
748_pf.html
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, February 1, 2007; 10:19 AM

Data privacy is likely to be among the hottest technology issues to face
Congress this year, thanks in part to interest from the new chairman of the
powerful House Financial Services Committee.

Panel Chairman Barney Frank (D-Mass.) said he plans to craft a bill by
working with the head of the committee overseeing commerce issues. His
measure would exempt companies from disclosing data breaches, provided they
secure the data with encryption software, or some other technology that
would render it virtually unreadable if it fell into the wrong hands.

Frank also said he wants retailers to be held more accountable for data
breaches. Earlier this month, TJX Companies, the Massachusetts-based parent
company of discount retailers TJ Maxx and Marshalls, disclosed that hackers
had broken into its credit card processing network, exposing financial
details on millions of Americans. This week, the Massachusetts Bankers
Association said that some of its member banks have reported fraudulent
transactions associated with the data breach. Credit card issuers have
contacted at least 60 banks affected by the break-in, the MBA said.

While more than 30 states have laws requiring companies to alert residents
of a data breach, most of the statutes let the affected company delay
notifying banks while law enforcers investigate. Frank said retailers should
be required to notify banks that issued the compromised credit card accounts
so that financial institutions can issue customers new cards before fraud
occurs.

"For too long, retailers have been immunized from having to own up when it's
their mistake through contractual protection from Visa and MasterCard,"
Frank said.

Officials from Visa and MasterCard declined to comment for this story. But
Mallory Duncan, senior vice president of the National Retail Federation,
said Frank's proposal was an effort by some smaller banks to shift more of
the costs of fraud to retailers.

"Most of the larger banks have very sophisticated, round-the-clock fraud
monitoring systems in place, but a lot of the smaller institutions don't
have those systems, Duncan said. "These institutions have abdicated their
responsibilities in this regard, and now they want retailers to pay for it."

More than 100 million Americans have had their personal data compromised due
to data breaches or mishaps, according to the Privacy Rights Clearinghouse.

The data breach bill that enjoyed the most support from industry and
consumer groups last year -- offered by California Democratic Sen. Dianne
Feinstein -- would require any organization holding personal data to notify
consumers upon learning of a data breach. Feinstein's measure contains
fairly broad exemptions, and it would preempt many tougher state laws.

Feinstein's bill, among the first to be reintroduced this year, also would
require companies to notify consumers of a breach regardless of whether the
data was encrypted, although companies would only be forced to notify if
records on at least 10,000 customers were jeopardized.

But it is far more palatable to consumer groups than a proposal that came
close to a vote in the House of Representatives last year. That measure
would have barred most consumers from requesting "security freezes" on their
credit files. It also would have given businesses greater discretion in
determining when consumers should be notified about a data breach.

Liz Gasster, acting executive director of the Cyber Security Industry
Alliance, said her member companies would lobby for the inclusion of a legal
liability exemption for data breaches that involve stolen or lost personal
information that has been protected by encryption technology.

"We want to ensure that if companies take steps like using encryption as
part of their overall security plan that there would be some sort of safe
harbor limitation on liability, said Gasster, whose group represents some of
the world's largest computer security firms.

David Sohn, staff counsel for the Center for Democracy & Technology, a
policy group in Washington, said an encryption exemption in a data breach
bill would help avoid alarming consumers over data breaches that have a very
low likelihood of compromising their personal information.

"So long as [the legislation] is written not to exempt companies that also
have their encryption keys [needed to unscramble encrypted data] stolen
along with their customers' information, there is a strong argument to be
made that sending notices to consumers in those cases could desensitize
people into not being vigilant in cases where it really matters," Sohn said.

While some major corporations -- most recently Microsoft -- have expressed
support for some kind of federal consumer privacy law to govern how
companies can use, combine and trade consumer data, the effort to produce
baseline privacy protections for consumers may be among the most contentious
of policy debates, said Fred von Lohmann, a senior staff attorney with the
Electronic Frontier Foundation.

"Data privacy is one of those areas where you're going to have very big
corporate interests on both sides," von Lohmann said. "The question with
this issue -- as with others -- becomes, is this an area where dueling
interest groups will make it difficult for Congress to come to an effective
solution, or is it something that's moving so fast that anything Congress is
likely to do will end up obsolete a year or two from now?"

Consumer groups also expect corporate- and government-backed data mining
practices to receive heavy scrutiny from this Congress, in part because the
Senate Judiciary Committee is now headed by Patrick Leahy, a Democrat from
Vermont known for his staunch advocacy on consumer privacy matters.

The Bush administration has come under heavy fire from privacy advocates for
its data mining initiatives and for pressuring Internet service providers to
dramatically extend the length of time that they retain records of their
customers' online activities. In a shining example of how few technology
policy concerns divide neatly along partisan lines, the administration's
data retention plan was backed with legislation offered by Rep. Diana
DeGette, a Democrat from Colorado.

Leahy declined to comment for this story, but in a speech at the Georgetown
University Law Center following the mid-term election, Leahy said he plans
to introduce legislation to curtail what he called the "proliferation of
data brokers and the burgeoning market for collecting and selling personal
information."