NEW YORK (CNN/Money) -
If we've learned anything from the massive consumer data breaches that have been reported this year, it's this: There isn't much protecting us from having our personal information exposed, traded or stolen.
That may soon change. Many states have already passed identity theft-protection and security-breach notification laws. Now, Congress is looking to jump on the bandwagon, too.
In the Senate, a number of bills have been introduced, aiming to provide such things as:
- Greater protection of and control over the use of key personal data such as Social Security numbers and financial account information
- Increased penalties for breaches and facilitating identity theft; and
- A nationwide standard for notifying consumers when their personal information has been breached.
Consumer and privacy advocates are heartened by the momentum on the Hill, and they are pleased that both the Senate Judiciary and the Senate Commerce committees are actively working on the issue.
But any bill that passes into law should not pre-empt stronger state laws, they say.
"We support a law that sets a basic floor for states. But states should be able to experiment and come up with new ways to protect consumers," said Kerry Smith, a consumer attorney with the National Association of State PIRGs.
Also critical are the definitions, said Chris Hoofnagle, director of the West Coast office of the Electronic Privacy Information Center. For instance, he said, how will "data brokers" be defined? What will characterize "personal information"? What will constitute a "trigger" requiring that consumers be notified of a data breach?
"The devil's in the details," Hoofnagle said.
Among the bills that have been introduced are several from members of the Judiciary committee: Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.), Dianne Feinstein (D-Calif.) and Jon Kyl (R-Arizona), and Charles Schumer (D-New York), who introduced his bill with E. Benjamin Nelson (D-Nebraska) of the Commerce Committee.
The bipartisan Specter/Leahy bill is likely to get the most attention, Hoofnagle said, because it has the support of both the Judicial Committee chairman (Specter) and the ranking Democratic member (Leahy).
Below are some of the provisions proposed in the bills:
Limit use, trade and exposure of Social Security numbers: All the bills include a provision protecting your Social Security number, which can greatly facilitate identity theft.
The Specter-Leahy bill would prohibit companies from using consumers' Social Security numbers as account numbers; limit the instances in which the number may be demanded to obtain goods and services; and limit the buying, selling or displaying of a person's Social Security number without consent from that person.
In the Schumer-Nelson bill, companies also could not display Social Security numbers on employee identification cards.
Regulate data merchants: In the Schumer-Nelson bill, companies like ChoicePoint and Lexis/Nexis would have to register with the Federal Trade Commission. They would only be allowed to take on customers who pass a "reasonably effective" background check. They also would be required to track who accessed which records and for what lawful purpose.
Since a lot of identity theft is perpetrated or aided by company insiders who would not be vetted as legitimate customers, any provision requiring a company to track who is accessing the information is welcome, Smith said.
In the Specter-Leahy bill, data brokers would have to implement data privacy and security programs.
Give individuals more control over their information: In the Specter-Leahy bill, individuals would have access to and the opportunity to correct personal data held by data brokers.
Standardize protection of all personal data: In one bill from Feinstein, companies would have to let consumers "opt in" when it comes to the use of their most sensitive personal data, such as Social Security numbers, and to "opt out" when it comes to the use of less-sensitive information, such as name, address and phone number.
Opt-in policies better protect your personal information because the presumption is that it may not be bought, sold or displayed to third parties, unless you say otherwise.
Create a national notification standard: The Specter-Leahy, Schumer-Nelson and Feinstein-Kyl bills all include provisions that would require businesses and government agencies to notify consumers across the country when there has been a breach of personal information.
Currently, 15 states have passed security-breach notification laws while four others have passed legislation that await gubernatorial approval.
Recognition of credit freezes: As part of its requirements for breach notifications, the Specter/Leahy bill would require companies and government agencies to notify consumers whose information is at risk of their rights to place a security freeze on their credit reports if they live in states that permit freezes.
"It's the first step to federal recognition of credit freezes," Hoofnagle said.
When you place a freeze on your credit report, no new creditor may access your credit bureau reports. However, those creditors with whom you have a standing relationship (e.g., your credit card issuer) can still get access.
To lift the freeze, you must call the credit bureaus and give a special security code to lift it either for a particular creditor or for a period of time, Smith said.
Currently, 10 states have laws on the books although not all are in effect yet; one state (New Jersey) has a law waiting for the governor's signature; and seven other states have credit-freeze legislation pending.