Last week, the Senate Committee on Commerce, Science and Transportation held a hearing on Privacy and Information Security. Senator Rockefeller made a point of emphasizing his committee’s jurisdiction over privacy and data security issues. I think this statement alone shows a rift in the Senate’s perspective on Information Security in light of the newly formed subcommittee on Privacy on the Senate Judiciary Committee. I really hope that posturing and territorialism doesn’t hold up any new legislation this year, but it looks like it will.
Senator Toomey (R-PA) wanted to draw a distinction between privacy and security while bringing up the need for a cost-benefit analysis for the proposed regulations (read between the lines, changes to Privacy laws at least won’t be happening anytime soon).
From the perspective of business, all the legislation proposed this year needs to do is to set a national standard for data breaches that preempts state law so that there is one standard to follow rather than 46 different rules based on who your customers are and where they live. From the perspective of the states, they want a law that allows them to more easily sue offenders, thereby protecting their residents, and generating a new revenue source. States also don’t want the penalties to be too harsh for fear of appearing anti-business.
Most likely, any new data breach law will mirror HIPAA/HITECH. HIPAA has two types of penalties – penalties for non-compliance and penalties for wrongful disclosure. For HIPAA, penalties range from fines of $100 per violation for non-compliance, capped at $25,000 . For a wrongful disclosure, penalties can range from $50,000 to $250,000 and may include a prison sentence depending on the crime. All of the new legislation proposed this year has substantially higher penalties.
So what makes health related financial crime better or worse than SSN theft, for example? Have efforts to keep patient data cost Doctors and Hospitals money? Has HIPAA put healthcare out of business? Okay, bad example given the rising costs of healthcare, but you get the picture.
So what should Al Franken do next? Force companies to make their default settings completely private? Require background checks for companies that have access consumer information? Push for a Do-Not Track mechanism built into the web?