Feinstein Charges Again on Data Breach Notification Bill
California senator says identity theft can't be stopped without strong congressional action.
If Thursday's attendance at Feinstein's hearing on data privacy is any indication, Feinstein will need a big straw. Only Feinstein, the chairman of the Subcommittee on Terrorism, Technology and Homeland Security, and ranking Republican member John Kyl showed up. Kyl left 30 minutes after the hearing began.
"The law allows people to take steps to protect themselves from identity theft -- but that is of no use unless people know they are at risk," Feinstein said. "The problem of identity theft is persistent, and it will not be solved without a strong effort from Congress."
Feinstein's bill failed to raise much interest when it was introduced in 2003. After the ChoicePoint data breach in 2005, Feinstein regrouped in the 109th Congress and attached the legislation to Sen. Patrick Leahy's (D-Ver.) larger privacy bill. The Senate Judiciary Committee approved the measure, but the bill never reached the Senate floor for a vote.
This time around, Feinstein says she wants to push the legislation as a standalone bill so "people's data that is at risk can be notified."
The bill would require businesses and government agencies to notify consumers under certain circumstances of data breaches. Businesses would be allowed to make a "risk assessment" of a data breach and only notify consumers if there is "significant" risk of harm.
Businesses would, however, be required to notify the Secret Service of the breach. If the Secret Service disagrees with the risk assessment, then the business would be required to mount a data breach disclosure campaign.
Feinstein said her proposal mandates a risk assessment, but does not legislate the actual protocol of the assessment. Witnesses at the hearing applauded Feinstein's efforts, but questioned some of the proposals in the bill, particularly the risk assessment requirement.
"How you conduct risk analysis can be very tricky," Joanne McNabb, chief of the California Office of Privacy Protection, told Feinstein. "You don't have forensic facts to say that data was actually compromised."
James Davis, UCLA's chief information officer and vice chancellor for information technology, agreed with McNabb, adding, "The definition of 'significant risk' is very difficult."
In November, UCLA discovered a breach of the university's computer system when system administrators noticed an unusually high volume of activity on a campus data center. The information potentially exposed to possible identity theft Social Security numbers, dates of birth and home addresses -- included more than 800,000 UCLA students, faculty and staff.
"Computer forensics uncovered evidence that significantly confirmed only a small percentage of the 800,000 individuals had their Social Security numbers accessed and needed notification under California law," Davis said. "The campus then faced a difficult decision about whether to notify the vast remainder of potentially affected individuals in the absence of significant confirming technical evidence."