john_dix
Editor in Chief

Privacy bill calls

Opinion
Aug 1, 20052 mins

In response to a string of prominent data privacy gaffes this past spring, Congress just proposed legislation that will have broad IT implications for many companies.

The Personal Data Privacy and Security Act of 2005, cosponsored by senators Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.) is a 91-page bill designed “to prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections.”

For network executives, the important stuff is in the section on Privacy and Security of Personally Identifiable Information (pages 37 to 63), which spells out who must comply and what they must do.

The bill applies to any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of personally identifiable information in electronic or digital form on 10,000 or more U.S. persons.” It does not, however, apply to organizations subjected to the Gramm-Leach-Bliley Act or Health Insurance Portability and Accountability Act (HIPAA).

Companies that fit the profile have to “implement a comprehensive personal data privacy and security program . . . that includes administrative, technical, and physical safeguards.”

The bill roughly identifies core technical areas that need to be addressed: “Each business entity shall . . . control access to systems and facilities containing personally identifiable information, including controls to authenticate and permit access only to authorized individuals; detect actual and attempted fraudulent, unlawful, or unauthorized access . . . ; [and] protect personally identifiable information during use, transmission, storage, and disposal by encryption or other reasonable means.”

What’s more, the bill will require companies to do regular vulnerability testing, the frequency and nature of which would be determined by risk assessments that are also required by the bill.

Penalties for violations can be stiff – $5,000 per violation, per day, and up to $35,000 more per day if the conditions persist – and companies in violation are also open to civil actions that could lead to punitive damages.

Failure to notify affected individuals and the authorities (the Secret Service and the attorney general in each state affected by a breach) carry even tougher fines: $5,000 to $55,000 per day.

While not as far reaching as Gramm-Leach-Bliley or HIPAA, the bill as proposed will have similar consequences, requiring organizations that fit the mold to jump through hoops to comply. As painful and expensive as that may be, it is required medicine for the industry. The breaches have been too catastrophic.