No cost Privacy Bills on deck to"offset" taste ofGOP Congress Patriot Act

The Notification of Risk to Personal Data Act, S. 751, introduced by Senator Dianne Feinstein (D-CA), would require both businesses and government agencies to notify individuals -- in writing, by e-mail or in limited cases by a web site posting or media release -- when there is reason to believe that their personal information has been acquired by an unauthorized person, requiring timely notice of lost or stolen personal data so that consumers can act to prevent identity theft. Most businesses would support a national notification law if it preempts conflicting or overlapping state law requirements, and if it contains a safe harbor that prevents it from being too onerous to comply with.

The June 29 introduction of the Personal Data Privacy and Security Act, S. 1332, a comprehensive data security and privacy protection measure that would regulate data brokers whose authors, Senators Arlen Specter (R-PA) and Patrick Leahy (D-VT), Chairman and ranking member of the Senate Judiciary Committee, would require data brokers to notify consumers of data security breaches, except when the risk of harm to consumers from such a breach is "de minimus." competes with the above as this bill gives consumers the right to see and seek correction of their personal information as it is maintained by data brokers while it extends federal privacy law protection to data maintained by government contractors, imposes stiff new penalties for identity thefts, and restricts the use of Social Security numbers on government records and in business transactions.

Meanwhile the Senate Commerce Committee Bill S. 1408, was introduced on July 14 by Senator Gordon Smith (R-OR), Committee Chairman Ted Stevens (R-AK), ranking member Senator Daniel Inouye (D-HI), and committee members John McCain (R-AZ), Mark Pryor (D-AR) and Bill Nelson (D-FL) and has a credit freeze component, which is causing some controversy in the financial institutions community. The bill will cover any entity (except a government entity) that holds individuals' sensitive personal information. The bill would require companies "to develop, implement and maintain an effective security program." The bill is built on the Gramm-Leach-Bliley financial services reform bill. The bill's provisions would be enforced with a series of fines -- individual fines would be $11,000 per individual who experiences a security breach, up to a cap of $11 million. Covered entities would be prohibited -- generally -- from using Social Security numbers, and breaches of security would have to be reported to the FTC which would publish the breach information on its website.

Also there is the Barton-Dingell Bill introduced July 11 by House Energy and Commerce Committee Chairman Joe Barton (R-TX-06) and ranking member John Dingell (D-MI-15) that would instruct the FTC to design a system for establishing security procedures to be imposed on companies that hold individuals' personal information. Such a security policy would cover the use, sale or dissemination of personal information, and would require data storage companies to hire a person to be responsible for information security issues. The FTC would have to annually review information brokers' security policies, and information brokers would have to give individuals access to their own personal data. Security breaches would have to be reported to individuals by the companies covered by the law, but the FTC would determine which breaches would trigger the notification requirements. The bill contains no restrictions on the use of Social Security numbers.