US Senate Bill Holds IT Managers Responsible for Privacy Breaches
A bill introduced in the US Senate on Tuesday by Judiciary Committee Chairman Patrick Leahy (D - Vermont), along with one independent and one Republican backer, aims to strengthen security requirements for all private databases accessible online that may hold personal information. Reintroducing language that had been stalled since 2005, if passed, the bill could hold IT managers accountable and responsible for security breaches where personal information is pilfered.
"Our bill...requires that companies that have databases with sensitive personal information on Americans establish and implement data privacy and security programs," Sen. Leahy stated in a speech on the Senate floor Tuesday. "In the Information Age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain."
One of the most susceptible databases to pilfering of citizens' private information, Leahy and the bill's co-sponsors concede, belongs to the US Government itself. The latest version of what's being called the Personal Data Privacy and Security Act of 2007 (the complete text of which has yet to emerge from the Government Printing Office) will create new regulations on government contracts with commercial data brokers.
While it apparently won't ban such contracts altogether, the bill would require audits to be conducted on a regular basis of such contracts to periodically determine just who it is the government is dealing with.
In bold language delivered in a speech to Georgetown University last December, Leahy singled out some prominent Republicans, past and present, for having contributed to the creation of an environment where individual privacy is devalued.
"I have long questioned Secretary Rumsfeld about the Defense Department's creation of dossiers on Quakers and peaceful anti-war protestors," he told the gathering. "Congress acted to rein in Admiral Poindexter's Total Information Awareness program. Recently we learned through the press -- and I'm thankful for a free and vigilant press -- that the Bush Administration has secretly been compiling dossiers on millions of law-abiding Americans. It is incredible that the Administration has reportedly been sharing this sensitive information with foreign governments and even private employers, while refusing to allow U.S. citizens to see or challenge the so-called terror score that the government has assigned them based on their travel schedules."
Entities that maintain personal data on individuals, under this bill, would be required to give notice to law enforcement officials whenever access of that data by unauthorized individuals comes to their attention. What remains unclear, however, is how the revised bill will delegate authority. If identity theft is elevated in status as a federal crime, do IT managers call their local police or the FBI? Or the Dept. of Homeland Security?
Also, previous permutations of the bill referred to the requirement for implementation of a comprehensive "security program," although the political definition of "program" and the IT manager's definition are somewhat different. Will these requirements impact the constitution of security software? Or if "program" in this instance is actually synonymous with "policy," will the 2007 edition of the bill become sidelined or even rejected for the same reason the 2005 version was tabled: because a majority of senators declared the bill had no "teeth?"
Some security firms voiced opposition to the 2005 version of Leahy-Specter, specifically for not identifying the measures that security software is expected to take in order to comply with its terms, as well as for the appearance of granting exemptions to certain financial institutions from having to meet the privacy standards the bill would apply to other commercial enterprises.
As MSDN blogger A.J. Law wrote today, "Do you have a documented security incident response plan in place if a problem occurs? How will you communicate with your customers? Do you know if corporate council would be needed to help put together such a communiquy? In many of the companies I have visited, the answer to these and other questions is, 'Sort of.'"
"Today, Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer," Leahy told the Senate Tuesday. "Our privacy laws greatly lag behind both the capabilities of our technology and the cunning of identity thieves. This legislation takes an important and meaningful step to help close this gap."