This time the bill has come from the Financial Services Committee of the U.S. House of Congress. The draft legislation would allow companies themselves to decide whether or not to inform the public of a data leak. According to InfoWatch, the absence of even the most basic mechanisms of control over business activities in the case of leaks will simply lead to a wall of silence after every incident.
The attempt by Congress to pass the law on data breaches has met fierce opposition from consumer groups who have called the bill the “worst data security bill ever."
The bill, the Financial Data Protection Act of 2005 (H.R. 3997), was passed by the Financial Services Committee by 48 votes to 17. Despite its name, the bill is supposed to protect all private data and not just those of a financial nature. But the bill allows companies to investigate and decide for themselves whether a leak is serious enough to make it worth notifying those affected. If, for example, a company has encrypted the information, it means it can even dispense with the investigation stage and decide whether or not to go public in the case of a leak.
Opponents of the bill point out that the decision of whether or not to inform consumers of a leak should not be left up to the company itself. The fact that the draft law will replace local laws means “data anarchy" could spread across the whole of the U.S. Today, there are a minimum of 11 states that have far tougher laws than those proposed by the new bill.
The new draft law states that if a company conducts a "reasonable" investigation after a breach and determines no "harm" to consumers occurred, the company is not obligated to inform consumers of the breach.
For their part, the supporters of the draft law in Congress said they had created a balanced bill that ensures companies safeguard their sensitive information and sees that consumers are fully protected if data is breached.
Interestingly, if the bill had been in force two years ago, then the general public would never have heard of the leak at ChoicePoint, which put almost every adult American at risk of identity theft and cost the company $55 million. From that point of view, the arguments raised by the bill's opponents sound all the more sensible.
The opponents of the new bill say that it would be much better if the Personal Data Privacy and Security Act of 2005 (S. 1789), passed by the Senate Judiciary Committee in November, was adopted instead. That bill also allows firms not to inform consumers if the risks of identity theft are minimal, but in that case a report has to be sent to the U.S. Secret Services, which may conduct its own investigation.
“It is as if Congress simply wants to look as though it is doing something and to quickly pass any kind of law. The proposed bill from the Financial Services Committee is particularly liberal. In circumstances where neither the authorities nor the public have control over business, companies should not be allowed to make all the decisions on their own. If that is the case, then firms will just remain silent about any breaches," says Denis Zenkin, marketing director at InfoWatch.
Source: Internetnews.com
