Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, June 30, 2005

Senate Ponders Toughest Data Protection Bill Yet

Two senior U.S. Senators introduced a wide-ranging data protection bill Wednesday that would send officials from companies who do not disclose security breaches to jail for up to five years, and bring the RICO Act to bear on identity theft gangs.

Arlen Specter (R-Pa.), the chairman of the Judiciary Committee, and that committee’s ranking member, Sen.  Patrick Leahy (D-Vt.) rolled out the most aggressive bill yet in reaction to the wave of security gaffes that have exposed millions of Americans’ identities since the first of the year.

Among its provisions, the Personal Data Privacy and Security Act of 2005 would create a new computer crime classification—aggravated fraud—that would add two years of additional jail time for obtaining or access another’s digital ID; severely restrict the use of Social Security numbers as account identifiers or numbers; and hold company executives responsible if they hide a data breach.

Both Leahy and Specter predicted quick passage of the bill, which is the first to sport a Republican as sponsor.

Several other bills that take on the data exposure problem have come from several prominent Democrats, including Dianne Feinstein (D-Calif.) and Charles Schumer (D-N.Y.).

—Add new penalties to the books by extending computer fraud to cover unauthorized access of data brokers’ systems (the statute already covers financial institutions and credit card issuers), meaning that criminals could face up to 10 years in jail; giving the government the power to invoke racketeering charges using the RICO statue to prosecute criminal gangs trading in identities; and putting company officials in prison for up to 5 years if they conceal a data breach.

—Enact a bevy of new regulations that cover “data brokers,” defined as business or non-profits “in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals.”

Among the regulations: data brokers would have to allow consumers the chance to change their information, and as with a credit report, receive a copy of that information at their request.

—Require businesses not already covered by the Gramm-Leach-Bliley Act or HIPPA (Health Insurance Portability and Accountability Act of 1996) to create a data privacy and security program.

That part of the Leahy-Specter bill also expands disclosure rules nationwide, and mandates that customers be informed of any security breach involving more than 10,000 people, or that revolved around a database with more than a million entries.  And forces the General Services Administration (GSA) to review government contractors’ the privacy and security programs before awarding contracts.

Posted on 06/30