• PC World
• »Security

WASHINGTON -- After a series of data breaches earlier this year, members of Congress raged about the irresponsibility of breached companies and introduced a flurry of bills requiring companies to notify affected customers when data is lost.

Nine months after a breach at data broker ChoicePoint was announced, Congress has debated a handful of bills, but no data notification bill has passed either the House of Representatives or the Senate. U.S. companies reported more than 60 data breaches between January and September this year, and Congress, as well as a number of state legislatures, responded with dozens of pieces of legislation, many modeled after a 2003 California law requiring companies to tell affected customers about data breaches.

Despite the outcry over the dozens of breaches this year, most observers say Congress is unlikely to pass a data breach notification bill until sometime in 2006, partly because of growing concerns that most of the bills would take a step backward from existing state laws. With Congress focusing on other issues this fall, some consumer and privacy groups are in no hurry to see federal data breach notification legislation pass--at least not most of the bills introduced so far.

"They're driving toward such a weak standard, [legislation] may get stuck," said Gail Hillebrand, senior attorney with Consumers Union, a consumer advocacy group. "If it's that weak, it should get stuck."

States Take the Lead

Twenty-one states have now passed some form of a data breach notification bill. They include a tough New York law that makes no exception for small data breaches, or breaches unlikely to result in identity theft, and that is set to go into effect next month. This "patchwork quilt," as some critics have called the multiple laws, has caused some large businesses and trade groups to call for a national law that preempts state legislation.

Many of the congressional bills allow breached companies to decide if the breach is likely to lead to identity theft, and thus warrants consumer notification. Consumers Union and privacy advocacy groups such as the Center for Democracy and Technology (CDT) say companies would have little incentive to report any breach without some government oversight.

"You don't want the [notification] trigger so subjective that you never report," said Dan Burton, vice president of government affairs for Entrust, a security software vendor.

Too Many Notifications?

Backers of such provisions say there's a danger of consumers becoming numb if they get dozens of breach notifications a month. Earlier this month, a subcommittee of the House Energy and Commerce Committee approved a bill, called the Data Accountability and Trust Act, that would require companies to notify affected consumers of breaches when there's a "significant risk" of ID theft. The DATA bill would have to be approved by the full committee before going to a vote on the House floor.

A broader notification standard would drive up costs for businesses and inundate consumers with meaningless warnings, said Representative Cliff Stearns, a Florida Republican and chairman of the House Subcommittee on Commerce, Trade, and Consumer Protection. "This bill sets strong national standards, provides for increased oversight of information brokers, and creates a workable data security and breach notification regime that provides incentives for technological solutions to security issues that will benefit consumers and the nation's commercial infrastructure alike," Stearns said in a statement.

Some Democrats on the subcommittee criticized the "significant risk" standard in the bill. Concerns about too much notification are "disingenuous," said Representative Jan Schakowsky, an Illinois Democrat.

"The right response to overnotification is not to restrict information and to keep consumers and Congress in the dark," she said during a Nov. 3 hearing. "If we want to stop overnotification, then corporations need to clean up their act so consumersa?? personal information is not compromised in the first place."

Prevention

Even groups supporting a national data bill have questions about the legislation now in Congress. While ITAA, an IT industry trade group, supports a national law that preempts state legislation, many of the current bills focus too much on notification and not enough on preventing data breaches, said Bob Cohen, ITAA's senior vice president. ITAA called for Congress to encourage businesses to employ better data protection measures.

"We are concerned that much of the emphasis in this legislation focuses on horses already out of the barn," Cohen said. "We believe that legislation will be most useful when, along with an appropriately designed notification standard, it also creates incentives for business to adopt practices that protect data and obviate the need for notification."