Senate Commerce Data Security Bill Called Most Likely to Pass in 2007

Departing House Commerce Committee Chmn. Barton (R- Tex.), an early dropout in the minority leader race, is expected to stay “very active” on privacy issues next Congress whether or not he becomes Commerce ranking member, said Venable privacy lawyer Stu Ingis during the teleconference. Barton is co-chair of the Privacy Caucus with Rep. Markey (D-Mass.), who hasn’t decided on a chairmanship to seek. Privacy “won’t be an early priority” for incoming Chmn. Dingell (D-Mich.) but may arise later, Ingis said. Consumer Protection Subcommittee Ranking Member Schakowsky (D-Ill.), considered a privacy hawk, may be too junior to become chairman, he added.

Incoming House Judiciary Chmn. Conyers (D-Mich.) is “less likely to have opposing legislative vehicles” to counter Commerce bills on the same subject than was Chmn. Sensenbrenner (R-Wis.), Ingis said. It’s unclear whether fights between Financial Services and Commerce will continue under the Democrats. The 3 committees passed competing data security bills (WID July 5 p2). Incoming Financial Services Chmn. Frank (D-Mass.) voted against his committee’s bill (HR- 3997), the most unpopular with consumer advocates, but that was mostly because it lacked a credit-freeze provision, said attorney Paul Martino, a former Senate Commerce counsel under Sen. McCain (R-Ariz.). Frank supported the bill’s “general direction,” Martino said.

Senate Commerce dynamics on spyware could change dramatically with the loss of Sens. Burns (R-Mont.) and Allen (R-Va.), Martino said. Most committee Democrats supported Burns’s bill (S-687), and Republicans, Allen’s bill (S-1004). Burns sponsored the bill that became the CAN-SPAM Act and 5 years ago backed a strong website privacy bill by ex-Sen. Hollings (D-S.C.); Allen took a “more narrow approach” that favored enforcement of existing privacy and fraud law, he said.

Bills affecting sector-specific laws like Gramm-Leach- Bliley (GLB) for the financial sector will be “debated probably more in the context of other legislation,” such as breach notification bills, Ingis said. The big question is whether sectors with their own security laws will be carved out from any new legislation on security, spam and telemarketing, he said. Speakers agreed that breach notifications haven’t been particularly valuable for consumers. And only 2% of consumers avail themselves of the law’s right to opt out financial institutions sharing their information with outsiders. Under Frank, assumptions about Financial Services “have to be really changed,” said Ohio State U. law Prof. Peter Swire, a former OMB chief privacy counsel. Committee members are “less likely to see themselves as water carriers for the financial services industry,” he said. Ingis wasn’t so sure, saying there’s little perception even among Democrats that GLB provisions have failed.

Spam law is unlikely to change under Democrats, but phishing is drawing attention, Ingis said: “If crafted correctly… [a bill] would probably be very useful.” Democrats may not stop at dealing with fraud, though, and may go after the increasingly common practice of behavioral targeting online, he said, noting he’s heard of “some inquiries” from Democrats. Martino, who helped push through CAN-SPAM, called the concern over targeted marketing “hype” and said better enforcement and new FTC civil tools can take care of real fraud. Without better education, Congress may pass legislation that regulates “what most would consider legitimate practices” online, he said.

On the govt. side, “minor changes” are possible in the Foreign Intelligence Surveillance Act (FISA) under Democratic leadership, but squabbling over who gets to do oversight hearings may take precedence, said Lynn McNulty, dir.-govt. affairs for the Information Security Certification Consortium. One of the few actions likely during the lame duck session is Democrats’ trying to block immunity for telecom companies that may aid the NSA in the electronic surveillance program, Swire predicted: “We might see a constitutional set of crises” if the Bush Administration withholds information.

The Federal Information Security Management Act (FISMA) may be changed in 2007, McNulty said. Agencies have to evaluate their IT security annually, report to OMB, get an inspector general’s review, and on top of that, report to Capitol Hill, where outgoing House Govt. Reform Chmn. Davis (R-Va.) “beat up” on them each year, he said. With many dismissing FISMA compliance as “paperwork” that doesn’t help security, Democrats may see an opportunity to upstage Republicans with amendments to FISMA, McNulty said. The Privacy Act, passed in 1974, “needs a technology update” but is unlikely to change more than incrementally, he added.

Broad privacy legislation will be on everyone’s mind, and industry -- pushing hard for federal preemptive legislation, led by Microsoft (WID March 10 p1) -- is eager to act before “California does 7 more things,” Swire said, referring to the state’s reputation for stringent security and privacy regulations. But industry should consider “how do you stop the train from running away in the wrong direction?” he added.

The “complete lack of enforcement actions” under the Health Insurance Portability & Accountability Act (HIPAA) is “a natural thing for an oversight hearing,” Swire said. The White House coordinator for HIPAA under Clinton, Swire said Health & Human Services has referred 300 of 20,000 HIPAA complaints to DoJ, which hasn’t brought a case. Fewer than 10% of medical records are in the Internet-friendly electronic health record (EHR) format. Despite bipartisan consensus that EHRs are the future of medicine -- “something like motherhood and apple pie” in Americana -- Democrats are likely to raise privacy and security issues that may slow their adoption, Swire said. Some medical processes that states historically handle, such as HIV patient information transfers, may throw up a roadblock to nationally preemptive EHR expansion under Democrats, he added.

Presidential candidates are expected to have privacy planks in their platforms, but won’t focus on the issue “right out of the box,” Martino said. McCain, as a 2000 candidate, sponsored a “narrow” privacy bill focused on opt- out in contrast to Hollings’ “broad” bill. Separately, David Etue, senior security strategist at Fidelis Security Systems, told us “West Coast” politicians considering a 2008 run will be vocal about privacy issues, given Cal.’s pioneering role on the issue. Because of Cal.’s massive weight in the national economy, many companies have adapted to its requirements, meaning a federal law based on its precepts has a “good likelihood of acceptance in the states,” he said.

“People are going to be bubbling with ideas” in 2007, Swire said, predicting 3 times as many bills would be introduced on topics touching the Internet as were in this Congress. “I think we were as close as we could get at the end of this Congress” to passing data security legislation, but that will be a challenge even with Democrats in charge, Martino predicted: “51-49 Senates aren’t known for getting much done.”