dataprotectionlaw&policy FEATURED ARTICLE 0/06 cecile park - - PDF document

Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com www.e-comlaw.com

cecile park publishing

FEATURED ARTICLE 0/06

dataprotectionlaw&policy

data protection law & policy august 2006

Congress will likely conclude its two-year session without passage

• f federal data security legislation.

The result is surprising, given that an eruption of high-profile security breaches led to congressional hearings, the introduction of various proposals by senior lawmakers and their approval by congressional committees, and

• verall bipartisan, bicameral

interest in addressing the threat of identity theft that is perceived to be associated with such breaches. Turf battles No factor has contributed to this surprising outcome more than the jurisdictional turf battles among congressional committees. Seven different committees – three in the Senate and four in the House – have drafted their versions of federal data security legislation that would establish a national standard for safeguarding sensitive consumer data, and set uniform standards for notifying consumers when a breach of security has compromised their data. Six of them have approved and cleared their proposals for a vote by the full House or Senate. Some of the rivalry among panels has been public. For example, the House Energy and Commerce and the Financial Services committees each sought jurisdiction of the

• ther’s bill, and proceeded to mark

up the other’s bill by striking it and replacing it with the panel’s own

• language. Republican leaders so far

have failed in their bid to get the two committees to work out their differences. Even if the House Energy and Commerce and the Financial Services committees were to resolve their differences, there are

• ther panels with claims to parts of

the legislation. For example, the House Veterans Affairs and Judiciary committees have passed legislation that would likely need to be incorporated into any final legislation. Time is running out for passage. Upon returning from its August recess, Congress has a short schedule in September, because it must break early this year for the political campaigning required prior to the November elections. Even if Congress were to return after the elections for a “lame duck” session, time is very short for a seven-way compromise to be worked out among all of the House and Senate panels. Very few observers would have predicted this scenario a year ago. By last summer, Congress had reacted relatively swiftly to the well publicized rash of security breaches by, in a matter of months, holding multiple hearings, introducing legislation, and even securing approval of a version of the legislation by the Senate Commerce Committee. Recent developments During the past year, there have been more reports of security breaches, bringing to 91 million the total number of records of Americans exposed due to data security breaches since 2005. Earlier this summer, the U.S. Department of Veterans Affairs reported that a laptop containing the social security numbers of 26.5 million veterans had been stolen in a burglary. The fallout from this incident, affecting a very powerful sector in American politics, was expected to renew congressional interest in passage of comprehensive federal data security legislation. Instead, the Federal Bureau of Investigation apprehended the thieves who stole the laptop, forensic analysis satisfied government officials that the data in the laptop had not been compromised, and another congressional committee drafted and approved data security

UNITED STATES 10

US update: federal data security legislation

Despite some 91 million Americans being exposed to data security breaches since 2005 and US states continuing to pass their own laws, Congress is likely to conclude its two-year session without passage

• f a federal data security law. Emilio
• W. Cividanes, a partner in the

Washington DC office of Venable LLP , examines the latest developments and the issues affecting the passage of legislation.

11

legislation, this time targeting the rights of veterans. More than a dozen additional states have passed security-breach notification laws, bringing the total number of states to 34. The majority of the remaining 16 states are expected to pass similar laws in 2007. Enforcement actions and private law suits continue. The Federal Trade Commission, for example, secured $15 million from ChoicePoint in connection with its security breach that exposed 145,000 consumers to criminals. It was ChoicePoint’s February 2005 announcement of its security breach that first drew national attention to the issue of consumer data security and sparked legislative action in both the Congress and the states. The Information Policy Institute issued a study that found that the incidence of identity theft was declining due, at least in part, to industry’s greater investments in fraud detection and information

• security. The study also warned

against legislation that result in “over notification” of consumers, which risks anesthetizing consumers and thereby having them fail to direct efforts to incidences where vigilance and monitoring are crucial. Privacy advocates are pleased with the stalemate in Congress. As one leading consumer spokesman recently stated:“The states have solved the problem and we have constructive compliance with the strongest state laws.” Since the type

• f federal legislation that industry is

supporting would preempt state laws and establish a uniform national standard that they perceive as being weaker than the standards most states have enacted, for privacy advocates, no bill is better than an industry-friendly bill. For many in industry, no federal legislation is also preferable to a bill drafted or endorsed by privacy

• advocates. Industry is temporarily

willing to learn to adapt to the patchwork of state laws while it waits for a more favorable climate for passage of federal legislation. Which is one reason why lobbying efforts continue on data security legislation, despite repeated predictions by pundits that no legislation will get passed by Congress this year. First, wherever efforts end this year are likely to mark the starting points

• n the “playing field” for next

year’s lobbying push. Not willing to lose hard-fought concessions they have gained during the past year, the sides continue to do battle. Second, there’s the possibility that something, for example, a security incident of a severe magnitude, will propel Congress to act this year after all. All sides wish to be well poised in the event that this was to happen. Third, if the Democrats reclaim control of the House or Senate, then most observers expect that the climate for passage of industry- friendly federal legislation will likely get worse, not better. Thus, industry must keep its options open for a possible lobbying push later this year in a post-election “lame duck” session of the Congress. Conclusion Whatever year federal data security legislation gets passed, and whatever shape it takes, these dynamics confirm one of the enduring realities of legislative politics in the United States that affects all privacy proposals: it is far easier to pass state laws than to block their enactment, and it is far easier to block the passage of federal legislative proposals than it is to get them enacted.

Emilio W. Cividanes Partner Venable LLP ecividanes@venable.com

data protection law & policy august 2006

UNITED STATES

For many in industry, no federal legislation is also preferable to a bill drafted

• r endorsed

by privacy advocates

e-commerce law & policy

Many leading companies, including Amazon, BT, eBay, FSA, Orange, Vodafone, Standard Life, and Microsoft have subscribed to ECLP to aid them in solving the business and legal issues they face online. ECLP , was nominated in 2000 and again in 2004 for the British & Irish Association

• f Law Librarian’s Legal Publication of the Year.

A twelve month subscription is £390 (overseas £410) for twelve issues and includes single user access to our online database.

e-commerce law reports

You can now find in one place all the key cases, with analysis and comment, that affect online, mobile and interactive business. ECLR tracks cases and regulatory adjudications from around the world. Leading organisations, including Clifford Chance, Herbert Smith, Baker & McKenzie, Hammonds, Coudert Brothers, Orange and Royal Mail are subscribers. A twelve month subscription is £380 (overseas £400) for six issues and includes single user access to our online database.

data protection law & policy

You can now find in one place the most practical analysis, and advice, on how to address the many problems - and some opportunities - thrown up by data protection and freedom of information legislation. DPLP’s monthly reports update an online archive, which is an invaluable research tool for all those who are involved in data protection. Data acquisition, SMS marketing, subject access, Freedom of Information, data retention, use of CCTV , data sharing and data transfer abroad are all subjects that have featured recently. Leading organisations, including the Office of the Information Commissioner, Allen & Overy, Hammonds, Lovells, BT, Orange, West Berkshire Council, McCann Fitzgerald, Devon County Council and Experian are subscribers. A twelve month subscription is £355 (public sector £255, overseas £375) for twelve issues and includes single user access to our online database.

world online gambling law report

You can now find in one place analysis of the key legal, financial and regulatory issues facing all those involved in online gambling and practical advice on how to address them. The monthly reports update an online archive, which is an invaluable research tool for all those involved in online gambling. Poker, payment systems, white labelling, jurisdiction, betting exchanges, regulation, testing, interactive TV and mobile gaming are all subjects that have featured in WOGLR recently. Leading organisations, including Ladbrokes, William Hill, Coral, Sportingbet, BskyB, DCMS, PMU, Orange and Clifford Chance are subscribers. A twelve month subscription is £485 (overseas £505) for twelve issues and includes single user access to our online database.

world sports law report

WSLR tracks the latest developments from insolvency rules in football, to EU Competition policy on the sale of media rights, to doping and probity. The monthly reports update an online archive, which is an invaluable research tool for all involved in sport. Database rights, sponsorship, guerilla marketing, the Court of Arbitration in Sport, sports agents, image rights, jurisdiction,domain names,ticketing and privacy are subjects that have featured in WSLR recently. Leading organisations, including the England & Wales Cricket Board, the British Horse Board, Hammonds, Fladgate Fielder, Clarke Willmott and Skadden Arps Meagre & Flom are subscribers. A twelve month subscription is £485 (overseas £505) for twelve issues and includes single user access to our online database.

Periodically we may allow companies, whose products or services might be of interest, to send you information. Please tick here if you would like to hear from other companies about products or services that may add value to your subscription. ■

priority order form

1 3 2

Name Job Title Department Company Address Address City State Country Postcode Telephone Fax Email Please invoice me Purchase order number Signature Date I enclose a cheque for the amount of made payable to ‘Cecile Park Publishing Limited’ Please debit my credit card VISA ■ MASTERCARD ■ Card No. Expiry Date Signature Date VAT No. (if ordering from an EC country)

FAX +44 (0)20 7729 6093 CALL +44 (0)20 7012 1380 EMAIL dan.towse@e-comlaw.com ONLINE www.e-comlaw.com POST Cecile Park Publishing 17 The Timber Yard, Drysdale Street, London N1 6ND

■ Please enrol me as a subscriber to e-commerce law & policy at £390 (overseas £410) ■ Please enrol me as a subscriber to e-commerce law reports at £380 (overseas £400) ■ Please enrol me as a subscriber to data protection law & policy at £355 (public sector £255, overseas £375) ■ Please enrol me as a subscriber to world online gambling law report at £485 (overseas £505) ■ Please enrol me as a subscriber to world sports law report at £485 (overseas £505) All subscriptions last for one year. You will be contacted at the end of that period to renew your subscription.

cecile park publishing

Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com www.e-comlaw.com