Two Identity Theft Bills Approved by Senate Judiciary Committee

This posting was written by John Scorza, CCH Washington Correspondent.

The Senate Judiciary Committee passed a pair of bills designed to protect against identity theft by requiring the government and private companies to notify consumers when data breaches occur. The committee approved the bills on May 3.

The Notification of Risk to Personal Data Act (S. 239) would require federal agencies and private businesses to notify individuals and the media if there is a security breach of personal data. The notice would need to include a description of the breach and a toll-free number to call for more information.

If more than 5,000 individuals must be notified, the agency or the company would need to coordinate with credit reporting agencies. Significant data breaches involving the federal government or involving national security or law enforcement would require notice to the Secret Service.

The bill would provide a safe harbor if a risk assessment concludes there is no significant risk of harm and the Secret Service agrees. Breaches that involve only credit card numbers would not require notice if the card issuer has an anti-fraud security program and provides notice of fraudulent transactions.

The proposed "Personal Data Privacy and Security Act" (S. 495) contains the same notification provisions as the first bill approved by the committee. Additionally, the measure would add unauthorized access to sensitive personally identifiable information to the criminal prohibition against computer fraud.

It would require data brokers to let individuals know what information they have about them and, when appropriate, allow individuals to correct demonstrated inaccuracies, with exemptions for products and services already subject to access and correction rules.

Companies that have databases with personal information on more than 10,000 Americans would be required to implement data privacy and security programs, and vet third-party contractors hired to process data. The bill would allow for monetary and criminal penalties for violations.

"This comprehensive bipartisan privacy bill is aimed at better protecting Americans' privacy from the growing threats of data breaches and identity theft," remarked Judiciary Committee Chairman Patrick Leahy (Vermont), the bill's sponsor. But Leahy acknowledged, "This is not a perfect bill."

Sen. Leahy said the measure is the result of significant consultation with the privacy, consumer protection and business communities. He cited support for the bill by Microsoft, Vontu, the Center for Democracy and Technology, the Consumers Union, the Cyber Security Industry Alliance, and the Consumer Federation of America.

The Judiciary Committee passed substantially similar legislation in late 2005, but it was never taken up by the full Senate. Leahy hopes this year's effort will be successful.

"When we can bring consumer interests and business interests together to the extent that we have, we hope we are close to a bill this committee can support, a bill that can pass and a bill that can make a difference," he said.