[IP] Preliminary analysis of new Specter-Leahy data security bill: opinions? [priv]

[David Farber <dave@xxxxxxxxxx>]

Begin forwarded message:

From: Declan McCullagh <declan@xxxxxxxx>
Date: June 30, 2005 1:13:55 AM EDT
To: politech@xxxxxxxxxxxxxxx
Subject: [Politech] Preliminary analysis of new Specter-Leahy data  
security bill: opinions? [priv]


It's worth taking a close look at the new Specter-Leahy security  
breach bill -- introduced Wednesday -- because it's the most  
comprehensive so far and the leading candidate to be enacted into law  
this year. It's even, at least in theory, going to be voted on in the  
Senate Judiciary committee on Thursday:
http://judiciary.senate.gov/meeting_notice.cfm?id=1555

The sections dealing with government use of databases seem generally  
useful (though some loopholes exist, like the requirement that a  
database is "primarily" of Americans before its use is covered --  
look for the FBI to start inserting random Mexican names to get  
around the "primarily" requirement). So let's look at the private  
sector components.

Bear with me as we get a little technical here...

Title III of the bill erects a complex regulatory scheme around any  
"data broker." That's defined as a "business entity" that it's in the  
regular business of "collecting, transmitting, or otherwise providing  
personally identifiable information" of 5,000 or more people that are  
not "customers" or "employees." Business entity is defined as any  
organization, including a sole proprietorship, that's in the business  
of making money, or a non-profit group that isn't.

Well, Politech is a sole proprietorship -- I have some Google text  
ads on politechbot.com that make a princely $10-$15 or so a month. If  
they made more I wouldn't complain. And I'm pleased to say that the  
list includes over 5,000 subscribers.

Do I "collect[]" personal information? 18 USC 1028(d)(7) defines that  
as "any name or number that may be used, alone or in conjunction with  
any other information, to identify a specific individual." Mailman  
gives subscribers the option of typing in their name, and obviously I  
have everyone's email addresses. 18 USC 1028(d)(7)(C) explicitly  
includes any "unique electronic identification number, address, or  
routing code" so that seems to cover e-mail.

So that makes me a highly-regulated "data broker" unless I can skate  
on some other technicality. Again, I'm arguably in the business of  
regularly "collecting" information from people are aren't "customers"  
-- you don't buy anything frome me. Let's assume I can't escape the  
rule and continue this walk-through.

If I am indeed a data broker, what must I do?

* "Clearly and accurately" disclose all relevant "personal electronic  
records" (maintained for disclosure to third parties) about an  
individual if he or she asks me.
* "Develop and publish" a set of "procedures for correcting  
inaccurate information."
* Offer to "investigate" "free of charge" any discrepancies.
* Provide an opportunity to insert a "100 word" notice of any dispute.

If I don't, I can be sued and fined $1,000-$2,000 per violation per day.

Title IV of the bill is far more exhausting. Any "business  
entity" (that term again) including a sole proprietorship that  
collects, accesses, transmits, stores, or disposes of personal info  
in digital form on over 10,000 U.S. persons must create a "data  
privacy and security program."

Well, there are over 10,000 Politech subscribers, and that's an even  
broader definition (no requirement that it be limited to non- 
customers or that the involvement be regular). So I'm likely covered.  
If that happens, I must:

* "Implement a comprehensive personal data privacy and security program"
* Create a "risk assessment" to "identify reasonably foreseeable"  
vulnerabilities
* "Assess the likelihood" of security breaches
* "Assess the sufficiency" of my policies to protect against them
* Protect information by encrypting it
* Publish the "terms of such program"
* Do "regular testing of key controls" to test security
* Select only superior "service providers" after doing "due diligence"
* Regularly "monitor, evaluate, and adjust" my security policies

If I don't, I can be fined up to $10,000 a day per violation.

Oh, and there's Title IV Subtitle B. It's pretty much the same  
definition, and requires me to:

* In the case of a security breach of the Politech subscriber list, I  
must notify the U.S. Secret Service and the state attorney general.
* And I must notify individual subscribers
* And I must notify consumer reporting agencies
* For individual subscribers, I must notify via physical mail to home  
address, or if I can't, via telephone call to your home. There's no  
provision for e-mail contact. But if I don't follow that procedures I  
violate the law.
* I also must post this notice publicly on the Web and notify "major  
media outlets"

If I don't follow those rules, I can be fined up to $10,000 a day per  
violation -- and if I "willfully" conceal the security breach, I can  
be fined something like $250,000 and be imprisoned for up to five years.

I recognize that senators Specter and Leahy are trying to target  
ChoicePoint and Acxiom and so on. But their bill, as written, does  
not appear to be written to include just those data warehouses. And  
given that they've had months and (presumbly) very bright people  
drafting it, that makes me worried.

In fact, the definitions could cover, for instance, news  
organizations (many news sites arguably provide personal information  
on thousands of people, and People magazine's Web site certainly  
does). How about popular blogs that have thousands of registered  
users? Search engines? Google's phone number finding service?  
Libraries? Email service providers? Alumni organizations for schools?  
Charities, like Golden Gate National Parks Association? What about  
universities, especially in terms of all the applications they get?  
Sweepstakes companies? I wonder if probable supporters of this bill  
-- like the ACLU and EPIC -- would enjoy having to follow all these  
complicated procedures (with the penalty of fines or prison terms if  
they don't).

I admit this is just my preliminary reading, but my sense is that  
these requirements will end up being another version of Sarbanes- 
Oxley, with the same destructive, wealth-eroding implications:
http://www.politechbot.com/2005/06/16/richard-rahn-on/

Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust  
prosecutors' discretion" is not a useful one). If I'm right, how much  
harm will be done in the name of "protecting privacy?"

-Declan

---

News article:
http://news.com.com/2100-7348_3-5769156.html

Text of legislation (Leahy's floor statement is below):
http://i.i.com.com/cnwk.1d/pdf/ne/2005/Specter-Leahy.pdf

Additional background material:
http://www.politechbot.com/docs/leahy.floor.statement.062905.txt
http://www.politechbot.com/docs/specter.leahy.sections.062905.doc
http://www.politechbot.com/docs/specter.leahy.summary.062905.doc
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/