Data Security Bill Sparks Privacy, Technological Concerns
By Jennifer LeClaire, E-Commerce Times

This article was originally published by E-Commerce Times at http://www.ecommercetimes.com/story/49455.html on March 20, 2006.

In the wake of a string of high profile data breaches reported by banks, retailers and credit card companies, a U.S. House panel on Thursday approved a bill drafted to protect consumers from identity theft and credit card fraud.

The House Financial Services Committee cleared the Financial Data Protect Act of 2005, which spells out requirements for companies to investigate breaches and notify law enforcement and consumers. The law seeks to ease compliance for the financial industry by setting a national standard for data security that overrides state notification and credit freeze laws.

Democrats are criticizing the bill, claiming it erodes essential protections that allow consumers to prevent identity thieves from opening credit accounts in their names and require companies to inform consumers when their personal data have become compromised. Meanwhile, privacy lawyers and information security companies are beginning to weigh in on the potential ramifications of this pending legislation.

An Ironic Bill?

"It is ironic that after a year in which over 55 million Americans' identities were put at risk through preventable data breaches, the House Financial Services Committee would repeal state laws that have protected consumers from identity theft," said Susanna Montezemolo, policy analyst with Consumers Union, nonprofit publisher of Consumer Reports magazine.

Montezemolo compared the bill to buying a fire detector after your house has burned down -- it is too little, too late. Consumers shouldn't have to wait until an identity thief has already bought a Lexus in their name in order to have the right protect themselves, she said.

"Rather than voting to protect consumers, the Committee made things worse. All consumers should have the right to sleep at night without worrying about identity theft -- this bill takes us in the exact wrong direction," said Ed Mierzwinski, Consumer Program Director for the U.S. Public Interest Research Group.

Businesses Face Perception Issues

Despite consumer advocacy backlash, the Financial Data Protect Act of 2005 has potentially positive implications for businesses, according to Randy Gainer, an attorney with the law firm of Davis Wright Tremaine LLP in Seattle.

Businesses need to respond to the perception among consumers that if consumers provide sensitive private data to businesses, the data are at risk of being misused for fraud and identity theft, Gainer said.

"That perception has apparently contributed to a decrease in the number of consumers who are willing to provide their information, for example, to online businesses. That, in turn, has caused some businesses that, in the past, have opposed privacy and security regulations to support effective privacy and security laws," Gainer told the E-Commerce Times.

Microsoft's Two Cents

Gainer pointed to Microsoft (Nasdaq: MSFT) General Counsel Brad Smith's March 9 keynote address to the International Association of Privacy Professionals in which he said Microsoft now supports the effort to develop a comprehensive national privacy law.

Notably, Smith said that Microsoft does not favor complete preemption of state authority to enforce such a law; rather he said that state attorneys general should have a role in enforcing any such national law.

Microsoft opposes a national law that addresses only data breach notification requirements because there are already too many disparate laws that impose various duties related to data privacy and security, Smith said. Instead, Microsoft favors one comprehensive data privacy statute.

Reducing Expenses

There are more than 20 state laws that require consumers to be notified when sensitive data are disclosed. These laws include several different standards for when such notices must be sent. This generally requires businesses with consumers from multiple states to apply the most restrictive standard, which is to notify consumers when there is any unauthorized disclosure, Gainer said.

"Because notifying consumers is expensive, may trigger class action lawsuits against a business, and causes harm to businesses' reputations and goodwill, many businesses a favor a notification standard that requires that consumers be notified only when consumers are likely to be exposed to fraud or identity theft as a result of a data breach," Gainer said.

Security and Compliance

The legislation may offer benefits, but it also offers new challenges for businesses, said Bruce Eissner, CEO of information security firm Polar Cove, and those challenges may be more than technological.

"The purpose of the legislation is to ensure consumers" privacy via secure management of relevant data. That kind of management requires people -- people who are qualified, trained, vigilant, and have strong senses of responsibility. It requires training those people, not just in using technology but in understanding the risks their companies and customers may face," Eissner told the E-Commerce Times.

Beyond just implementing technology solutions, Eissner said businesses need to build security and compliance into their cultures and into their business strategies: Noted Eissner: "The businesses that become proactive will not only be leaders but could become winners in the current environment."