A year after major breach, data-security bills stalled

By Heather Greenfield

May 22, 2007

Tuesday was the one-year mark since Congress learned of a stolen laptop computer that contained personal data on 26.5 million veterans and active-duty military personnel. But while Congress last year cleared data-protection measures aimed specifically the Veterans Affairs Department whose employee lost that computer, it has not passed broader legislation.

Larry Clinton, director of the Internet Security Alliance, said he is encouraged that recent security breaches have made lawmakers aware of cyber-security problems but lamented the limited activity to correct the problems.

"I find it a little bit disheartening the approaches [to improve security] haven't been implemented and a little disappointed the approaches don't seem to grasp the problem we're dealing with here," Clinton said.

The Senate has been active in recent weeks, with the Judiciary Committee approving a bill, S. 495, that would boost punishment for cyber crime, require notification to victims of data breaches, and require businesses to take steps to minimize risks. In the bill, the committee said it found that 9.3 million Americans were victims of identity theft last year.

The Senate Commerce Committee also has approved a measure, S. 1178. It has breach-notification provisions, too, and a provision allowing victims to freeze credit reports.

On the Senate Banking Committee, Robert Bennett, R-Utah, and Thomas Carper, D-Del., have submitted legislation, S. 1260, similar to theirs from last year and have added a provision to the Commerce bill to extend the requirements to government agencies.

Senate Majority Leader Harry Reid, D-Nev., has been pushing committee chairmen to reach a consensus.

The House may face a tougher battle, as the legislation touches on the jurisdiction of the Energy and Commerce, Judiciary, Financial Services, and Oversight and Government Reform panels.

Virginia's Tom Davis, the ranking Republican on the Oversight and Government Reform Committee, has introduced a bill, H.R. 2124, that would provide notification requirements for federal agencies. The other committees are still working on their bills.

"The reason we didn't get good data-security legislation last year was the jurisdictional lines -- not a lack of consensus on ideas," Clinton said.

"There are lots of different approaches to breach legislation and lots of committees of jurisdiction, so this isn't going to be easy," said Shannon Kellogg, the director of information security policy at EMC, which recently merged with RSA. "We're hopeful a reasonable federal bill can move this year."

By reasonable, he said he means a bill with a national standard for breach notification that is based on some link to the risk of harm, plus a national standard for safeguards that uses incentives rather than picking technology standards and imposing penalties for not adopting them.

Kevin Richards, a lobbyist for Symantec, agreed that the battle has been jurisdictional but said, "Leadership realizes this is an issue that resonates with voters, and they want to move forward." He expects that still can happen this year.

Clinton and Kellogg are hopeful but consider the odds a "toss up."

By Heather Greenfield

May 22, 2007