Boy oh boy, do we ever need a comprehensive federal data protection law in the U.S.! Each week more and more state level laws are introduced, many of them passed, all dealing with different aspects of data protection, and all impacting and complicating an information security and privacy professional’s responsibilities.
This past week was a busy one with a flurry of new and updated bills related to protecting privacy introduced, and a few new state laws.
Here’s a quick laundry list:
State bills:
* The Minnesota Senate May 16 passed H.F. 1758, “Regulating Access Devices,” to allow banks to recover from merchants the costs incurred as a result of the breach of credit and debit card data retained by a merchant.
* The California Assembly Judiciary Committee approved A.B. 779 on April 17. The Assembly Business and Professions Committee then approved the measure April 30 after making technical amendments and referred A.B. 779 to the Assembly Appropriations Committee. The bill was amended on the Assembly floor May 14 in a version of A.B. 779 . The amended measure was sent back to the Appropriations Committee May 15.
* The Texas House May 10 unanimously passed H.B. 3222 that would amend its data breach notification law to allow banks to recover breach costs from merchants. The bill has been referred to the Business and Commerce Committee.
* Connecticut bill S.B. 1089 would amend existing state data breach notification law to make covered entities, including merchants, liable to banks if a bank customer’s personal or financial account information is affected by a breach. S.B. 1089 would make merchants liable to banks for “the costs of any reasonable action undertaken by the bank or out-of-state bank on behalf of its customers as a direct result of the breach of security in order to protect the sensitive information or financial interests of such customers or to continue to provide financial services to such customers.”
* Illinois S.B. 1675 was approved in committee and is awaiting a third reading and vote on the Senate floor. The third reading deadline is May 31. This bill would make data collectors, including merchants, that face a data breach of credit or debit card information, liable to any financial institution that incurs costs or damages related to the breach, including cancellation and replacement of cards and coverage of fraudulent charges made using the compromised cards.
* Massachusetts H. 213 would require retailers to compensate banks for fraudulent purchases and credit card replacement costs that result from merchant data breaches.
* In Montana anti-pretexting bill S.B. 192 was signed into law on May 3, making it a crime to pose as another person to gain confidential information about that person. The law establishes a new crime, criminal invasion of personal privacy, punishable by up to one year in prison or a $10,000 fine, or both. The law specifies that impersonating another individual to gain information is not a crime if the person whose identity is at stake has given permission to the perpetrator to do so.
* In Tennessee Gov. Phil Bredesen signed bill H.B. 200 into law on May 16 which will allow state residents to place security freezes on their consumer credit reports to deter identity thieves from opening new credit accounts, making Tennessee the 36th state to enact a credit freeze law. The new law takes effect January 1, 2008.
More state actions occurred in Washington (amended a freeze law), New Jersey (the senate approved bills prohibiting text message spam and spoofed sender data), and Georgia (sent bill to governor to expand breach notice law).
Federal bills:
* The “Community Banks Serving Their Communities First Act of 2007″ (S. 1405) introduced in the Senate May 16, would exempt community banks from internal control reporting requirements under Section 404 of the Sarbanes-Oxley Act, as well as requirements to send annual privacy notices to customers.
* Cybersecurity legislation introduced in the House May 14, H.R. 2290 would eliminate the requirement of interstate or foreign communication for offenses involving protected computers and would make it a crime to access the personal information of individuals without permission, provide stricter penalties for certain computer crimes, and provide additional funding for federal authorities to fight cybercrime. It would amend portions of the Computer Fraud and Abuse Act, 18 U.S.C. ¬ß 1030, to criminalize the intentional access of a computer without authorization or in excess of authorization to obtain “a unique electronic identification number, address or routing code, or access device from a protected computer.”
* The “Student Financial Aid Data Privacy Protection Act,” S. 1401 introduced May 15 would establish new operating procedures for the National Student Loan Data System (NSLDS), including better disclosing to borrowers how their personal information is stored and used. The Education Department would be required to implement new data security measures to protect the personal information of borrowers included in its central student loan eligibility database and ensure such data is not used for marketing purposes.
* On May 16 S. Res. 205 designating June 2007 as “National Internet Safety Month” was considered and agreed to.
* On May 11 an amendment was adopted to H.R. 2082 “Intelligence Authorization Act for Fiscal Year 2008,” to state that the Foreign Intelligence Surveillance Act of 1978 (FISA) shall be the exclusive means by which domestic electronic surveillance for the purpose of gathering foreign intelligence information may be conducted, and to make clear that this applies until specific statutory authorization for electronic surveillance, other than as an amendment to FISA, is enacted.
* On May 17 H. RES. 414, “Expressing the sense of the House of Representatives that foreign governments should work diligently to legalize all computer software used by such foreign governments, and for other purposes,” was sent to the House Committee on Foreign Affairs.
* On May 17 H.R. 2368 “To provide for updated and secure social security cards” was referred to the House Committee on Ways and Means.
Tags: awareness and training, government, Information Security, IT compliance, policies and procedures, privacy, privacy bills, risk management, state data protection law