This story appeared on Network
World at
http://www.networkworld.com/columnists/2007/021907bradner.html
The Leahy privacy
bill: coddling the criminals?
By Scott Bradner, Network World,
02/19/07
After the data breach about a year
ago that exposed the personal information of some congressmen, I was sure that
there would soon be a federal bill enhancing privacy protections (See Privacy:
A personal touch).
But that was not to be.
I guess the big companies that
make a profit by violating your and my personal space have enough clout on
Capital Hill to even get a congressman whose data was exposed to back off. When
the election changed the power picture in Washington, D.C., I had a little
burst of hope that something meaningful would happen in this space, but I'm
mostly disappointed in what the change has actually brought.
In early February, Senators
Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, and Bernie
Sanders (I-Vt.) introduced the "Personal Data Privacy and Security Act Of
2007."
From the press release and a quick
read of the proposed legislation, it looks quite good. Even in a more detailed
reading the bill has some good stuff in it, but in the end the bill does more
to protect the people who are sloppy with your data than have any real teeth to
prevent the sloppiness in the first place.
The bill concerns itself with the
protection of "sensitive personally identifiable information." This
includes your name along with Social Security number, passport number or
driver's license number, your home address and mother's maiden name or your
date of birth, a biometric ID (e.g., fingerprint), bank account number and PIN,
or credit card and security code (Note that the new RFID passports may meet
this definition because they include your name and picture). As you might expect,
the bill would override any state or local laws that address the same issues.
Under the bill, anyone who has
this information about you must endeavor to protect it "equal to industry
standards" and must notify you if it is improperly accessed. Failure to
notify, even where there is just one person's information exposed, can generate
a fine of $1,000 per day, as much as $250,000 and as many as five years in
jail. These can be doubled if the failure is intentional and willful.
Under the bill, you can ask to see
your record (not including any list of purchases they might have for you) that
is held by a data broker and ask for it to be corrected if you see anything
wrong. The broker can tell you to go away if it wants to claim you are being
"frivolous."
The bill would require that
anybody or company that has personal information about more than 10,000
"U.S. persons" to create a protection program much like the
Gramm-Leach Bliley Act requires (a risk assessment, employee training, etc).
Fines of $5,000 per day can be imposed for failure to have the protections or
have such a program -- also doubled if intentional or willful.
Charges for violations under this
bill can be brought by state attorneys general or by the Federal Trade
Commission (FTC). The bill removes any right for the party hurt by the exposure
-- i.e., you -- to bring private action.
Taking all enforcement out of the
hands of the citizens basically removes any incentive for a company to do the
right thing. In almost all cases the FTC does not fine anyone, but just makes
them promise not to be bad in the future. The FTC does not make organizations
exposing private data admit they were bad this time. Few state attorneys
general seem to be interested in this soft of a thing -- Eliot Spitzer, New
York's former attorney general, was an exception.
So by blocking the ability for
private action, this bill tells businesses that they will get a free pass if
they mess up. It is hardly a pro-privacy clarion call. It's all very
disappointing, but sadly, not all that surprising considering we are talking
about Washington.
Disclaimer: Harvard trains lawyers
who can help correct Washington's lapses, but only if they are permitted to do
so. The above is my opinion, not the Law School's or Harvard's.