New York Times Editorial: Keeping Personal Data Private

New York Times Editorial: Keeping Personal Data Private
Copyright by The New York Times
Published: November 24, 2009
http://www.nytimes.com/2009/11/25/opinion/25weds2.html?th&emc=th


In 2006, a Veterans Affairs Department analyst lost a laptop and external drive with Social Security numbers and other personal data from more than 26 million veterans and active duty troops. There was a national call for a federal law to protect this sort of data — as there has been after other big data breaches — but nothing was done. Finally, a bill is moving in the Senate that would put more protections in place for personal data.

Computers hold an enormous amount of personal information about people. In the wrong hands, the data can be used to steal identities or drain bank accounts. There is a patchwork of laws that offers varying levels of protection to residents of most, but not all, states, but there is no overarching federal law.

Senator Patrick Leahy, a Democrat of Vermont, is sponsoring a bill, the Personal Data Privacy and Security Act of 2009, that would beef up cybersecurity and make people’s personal information safer. It would require entities that keep personal data to establish effective programs for ensuring that that data is kept confidential. That could include encryption of data, although the law does not specify any security method. When there is a breach, it would require that notice be given to individuals whose personal information is exposed.

The Leahy bill applies both to the private companies and to government, which is important, since both the private and public sectors have been responsible for major data breaches in the past few years. It would require data brokers — companies that collect personal data and sell it to third parties — to inform consumers about the data they have on them and allow people to correct erroneous information. The bill also makes it a crime to intentionally conceal a security breach that exposes personal data, and it increases criminal penalties for identity theft by use of electronic personal data.

One potentially troubling aspect of the bill is that it would pre-empt, or nullify, state laws in this area. That is not a problem if the bill remains in its current form. But it should not be allowed to get weaker during the legislative process. A weak federal law that pre-empts state protections would be worse than no federal law at all.

Mr. Leahy’s bill was sent to the full Senate by the Judiciary Committee this month along with another worthy, but more limited, bill introduced by Senator Dianne Feinstein, a Democrat of California.

There are many important issues competing for Congress’s attention, but keeping people’s personal information safe should rank high on the list. Senate leaders should find the time for a vote on the Leahy bill, and the House should pass its own bill without further delay.