Security groups cautious about data security and file sharing bills

Security professionals told a House panel on Tuesday that two bills aimed at protecting citizens' privacy could weaken states' existing regulations and stifle innovation.

The first bill, the 2009 Data Accountability and Protection Act (H.R. 2221), would require companies that store personal information to notify customers if their data has been exposed by a hacker who successfully breaks into their network.

"I like H.R. 2221, I believe it would prevent excessive notifications," Robert Holleyman, president and chief executive officer of the Business Software Alliance, told the House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection. He said data breaches increased 48 percent in 2008 from the previous year and 20 percent of all data breaches involve the government.

The bill, introduced by Rep. Bobby Rush, D-Ill., also would impose regulations on data brokers and require companies to take steps to secure consumers' personal information. The bill would require information brokers, companies that aggregate personal data by purchasing it from companies and then re-selling it, to submit their security policies to the Federal Trade Commission, which would audit a company's information security practices after a data breach occurs. The brokers also would provide each individual, whose information they maintain, free access to their data once a year, after verifying the information and the identity of the user.

The bill was introduced during the past two congressional sessions but has never made it to the floor for a vote. During his opening statement, Rush acknowledged that the bill could be out of date and said he is open to changes that will make it stronger and more effective.

Rep. George Radanovich, R-Calif., said he supported the bill partly because of a 2005 incident involving Atlanta-based data aggregation company ChoicePoint, which experienced a data breach that exposed 128,000 records and resulted in 5,000 cases of identity theft. Data breaches cause "consumer confusion and unnecessary expense," Radanovich said, noting that the issue was particularly important to consumer confidence during the current economic downturn.

The Bureau of Consumer Protection at the Federal Trade Commission "strongly supports the goals of H.R. 2221," especially the provision that allows the government to seek civil penalties from companies that violate the law, said Eileen Harrington, acting director of the bureau.

According to David Sohn, senior policy counsel for the Center for Democracy and Technology, most states have already passed laws that require companies to notify consumers if their personal information is exposed, and the federal bill, which would preempt those state laws, could weaken some of those state laws.

Forty-four states have passed notification laws, and the new bill could prevent states from enacting stricter measures, said Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center.

The second bill the panel discussed, H.R. 1319, aims to prevent the inadvertent sharing of private information via peer-to-peer file sharing programs, which computer users download onto their systems to share files, mostly songs and video. But the applications, if not properly configured by users, also provide access to other files on their computer or network, which can contain personal information such as medical and tax data.

In her opening statement, Rep. Mary Bono Mack, R-Calif., who introduced the bill, blasted the peer-to-peer industry for not taking the responsibility to rework its software to make the applications more secure. "The hands-off approach has not worked," she said. "How many more medical records and tax returns will it take? Enough is enough."

Robert Boback, chief executive officer of Tiversa Inc., which monitors peer-to-peer file sharing networks for sensitive or stolen data, said the public, including most high-ranking officials, is unaware how much data is stolen from computers that are part of a peer-to-peer network. During a recent 60-day period, his company found nearly 4 million instances in which files such as tax returns and schematics were inadvertently shared or intentionally stolen.

Some panel members said the bill did not define peer-to-peer software succinctly and without a more exact definition, the bill could stifle innovation by allowing others to apply the restrictions to more products than originally intended.

Rotenberg called it "dangerous to legislate a technique," saying peer to peer is a generic description of a popular networking method and not useful for crafting legislation.

"The right approach is to narrow the bill to address the specific concerns" of inadvertent data sharing, he said. But Rotenberg said he generally favors the bill.