Add data privacy to Congressional agenda

A serious issue the new Congress needs to address is data privacy. The past few years have seen a sharp increase in the leakage of personal data such as credit card and Social Security numbers from institutions ranging from universities, to banks to government agencies such as the Veterans Administration. According to a list maintained by the Privacy Rights Clearinghouse, a San Diego-based advocacy group, more than 190 such incidents have been reported since February 2005. Ninety of those have been reported since January of this year. The Federal Trade Commission estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year. Beyond these immediate costs, data leakage threatens the integrity and growth of ecommerce. Even more ominously, it could harm national security.

State governments and private organizations have responded with legislation and voluntary standards. The federal government has also entered the picture. Last year the FTC recently leveled the largest data privacy fine in its history. But the FTC has publicly stated its investigations and fines are not enough. It needs better tools to ensure that consumers’ most important information isn’t lost, stolen or peddled to the highest bidder. That means new and stronger legislation.

Data privacy bills have been introduced in Congress. The new Congress should take up these bills and pass data privacy legislation in 2007. Any legislation should be guided by the following principles:

* Clear, uniform and comprehensive application. By the end of 2006, 35 states had some type of data privacy law. The leading state law is California’s SB 1386. Given that it covers any company with operations in California, SB 1386 has been called a de facto national data privacy law. But that’s a misnomer. SB 1386’s provisions differ with those of other state laws. The result: Large organizations must tailor their processes and procedures to SB 1386 and other, different state laws. Compliance with multiple legal and often conflicting legal frameworks increases costs and, more important, minimizes the clarity necessary to inspire trust among consumers. It is this trust that is the basis of the continued growth of innovative, digitally based business models and practices. Federal legislation should be clear, uniform and comprehensive. It should authoritatively define “personal data” and “identity.” It must establish national benchmarks that set a floor of protection, rather than a ceiling. Finally, privacy legislation should apply to private and public enterprises, including federal, state and local governments.