Congress takes small steps on privacy legislation

While the U.S. Congress focuses on fighting spam e-mail, legislation aimed at protecting consumer privacy online has taken a back seat. The chance of passage of one privacy bill, which would require companies to notify consumers when a database containing private information has been compromised, is in doubt after some in the technology industry opposed the legislation.

Senator Diane Feinstein, a California Democrat, introduced her Notification of Risk to Personal Data Act in late June, but has no cosponsors for the legislation and has drawn the opposition of the Information Technology Association of America (ITAA). Feinstein’s bill, modeled after a California law that went into effect July 1, would require companies to notify customers when they have a reasonable basis to believe they’ve been hacked and had customers’ unencrypted personal information compromised. Encrypted data is exempted from the reporting requirement.

“This bill has a tough but fair enforcement regime, and will give ordinary Americans more control and confidence about the safety of their personal information,” Feinstein said in a statement June 26. “Americans will have the security of knowing that should a breach occur, they will be notified and be able to take protective action.”

A second bill in Congress has been criticized as too weak by privacy advocates such as the Center for Democracy and Technology (CDT). So while CDT and other groups called for comprehensive privacy legislation during privacy workshops at the U.S. Federal Trade Commission in May and June, Internet users will more likely get a piecemeal approach to privacy protection in this year’s Congress.

One such consumer privacy-related action the U.S. Senate took this week was killing funding for a U.S. Department of Defense data-mining project that drew criticism from privacy advocates. Funding for the Terrorism Information Awareness project, formerly called the Total Information Awareness project, at the Defense Advanced Research Projects Agency was killed in an amendment to a defense appropriations bill. Privacy rights advocates had questioned how much information the project would collect on innocent U.S. residents.

Both the Feinstein bill and the California law, known as Senate Bill 1386, that it is modeled after have confused companies about what’s a “reasonable basis” to conclude they’ve been hacked, said Greg Garcia, vice president for information policy at ITAA. The Feinstein bill also leaves open questions about what company should make the notification if an Internet retailer has its databases hosted by a Web services firm, Garcia added.

“I don’t think this bill’s time has come,” Garcia said. “This bill is probably raising awareness on [Capitol] Hill, but I don’t think it’s ripe yet.”

Instead of notifying customers right away when a company is unsure about a security leak, notifying law enforcement might be a better option, he added.

“I think you cause undue concern among consumers if nothing happened,” Garcia said. “What we need … is stronger cooperation between law enforcement and private industry in terms of information sharing.”

Others disagree, saying the California bill takes important steps toward protecting consumer privacy. Bill Schroeder, president and chief executive officer of security vendor Vormetric, said more legislation is needed to protect victims of identity theft. “There really isn’t a lot of legislation protecting those people,” he said.

Schroeder, whose San Jose, Calif., company is pitching a security product called CoreGuard Core Security System to help companies comply with the California legislation, said the law has helped raise awareness among companies that storing data in clear text can be dangerous and that products on the perimeter of a company network, like firewalls, may not be enough.

A bill that may have more support than Feinstein’s is the Consumer Privacy Protection Act of 2003, introduced in April by Representative Cliff Stearns, a Florida Republican, and 22 cosponsors. The Stearns bill requires that companies collecting personal information give customers privacy notices and tell them why the information is being collected. The Stearns bill would also allow customers to opt out of the company sharing that data, and it establishes a way for consumers to electronically report identity theft to the U.S. Federal Trade Commission.

Stearns, the chairman of the House Energy and Commerce Committee’s Subcommittee on Commerce, Trade and Consumer Protection, said in a statement that the bill “strikes a balance in protecting personal information without unduly interfering with the free flow of consumer information that strengthens our economy and benefits the consumer.”

The Stearns bill is preferable to one called the Online Personal Privacy Act introduced in April 2002 by Senator Ernest Hollings, a South Carolina Democrat, in April 2002, said Markham Erickson, director of congressional relations for NetCoalition, a group of Internet companies. Critics of the Hollings bill said it promoted private privacy lawsuits instead of encouraging companies to self regulate, and it only addressed privacy protection online.

The Stearns bill, which explicitly doesn’t allow private lawsuits, is closer to being ready for passage, Erickson said, but Congress may be distracted with antispam legislation. “Right now, I think it’s fair to say the spam issue is what everybody seems to be focusing on,” Erickson said. “The spam issue is going to take up some time.”

Others say the Stearns bill doesn’t go far enough. The Center for Democracy and Technology has been calling for a comprehensive consumer privacy bill for years, said Ari Schwartz, CDT’s associate director. Congressional efforts this year seem destined to fall short of “overarching” privacy legislation that includes protections for consumers both online and off, privacy notice and requirements that consumers give permission before information is shared between companies, Schwartz said.

Congress’ focus on spam isn’t all bad, Schwartz added, because it will give consumers the right to be left alone, which is part of privacy. CDT also supports the Feinstein bill and a call from Senator Charles Schumer, a New York Democrat, for the U.S. Federal Trade Commission (FTC) to issue an alert, warning Web site users to read online privacy policies.

Apparently responding to media reports that some Web sites are selling consumers’ private information although they promise not to, Schumer sent the request by letter to the FTC July 1. “I have no problem with a Web site asking me for my personal information as long as it’s clear about how it’s going to use it,” he said in a statement. “The problem with what’s going on now is that customers who share their info are often misled into thinking their data will be protected. And that’s all too often just not the case.”

The FTC has not yet responded to Schumer’s request.

While the CDT supports the Feinstein bill, Schwartz said it will have a tough time without Republican sponsors in the Republican-controlled Congress. The Feinstein legislation might have a better chance as an amendment to another bill, Schwartz said. “It’s going to be a slow process to get that into federal implementation,” he added.