U.S. Sen. Richard Blumenthal said Thursday that the debt debate that’s certain to dominate the discussion when Congress meets again in September shouldn’t prevent Congress from passing a vital bill to protect citizens’ data privacy.
He met with academic computer security experts at the University of Connecticut’s Greater Hartford campus to hear ideas as he drafts the bill. It’s a necessary effort because computer data breaches are a continuing and constant threat to citizens and consumers both in Connecticut and across the country, he said.
“There were 23 million people affected by breaches of data that threatened financial loss, embarrassment, privacy invasion. We’re not talking about something that is abstract or conceptual—these data breaches have a practical and profoundly important consequences for millions of Americans, individuals and families across the country,” he said.
Blumenthal hopes his bill will address what he called a glaring gap in the protections afforded to people affected by data breaches.
The problem is only likely to get worse as more and more organizations collect information about people as consumers, patients, students, bankers and borrowers, he said.
The concern is that institutions, companies and other third parties that collect personal data stockpile the information, keeping it even after they no longer need it. It’s often difficult to tell how well they protect the information from identity thieves or whether it’s being sold for other purposes like targeted marketing.
Blumenthal likened the process to experiences he had after he and his wife had children. Each time they came home from the hospital with a new baby they would begin receiving mail, enticing them to buy diapers and baby formula, he said. He wondered how the marketers knew they had recently had a baby and later found out the hospital was selling the information, he said.
The bill would force companies to take better care of private information like addresses, social security numbers, and medical records, he said.
“That information is more vulnerable than ever because many American corporations have failed to take sufficient steps to safe guard this type of information,” he said.
Many corporations have also failed to take steps after data breaches have been realized and notify people when it happens, he said.
The experts at the roundtable discussion agreed with him.
“To pretend your social security number is private at this point is almost foolish,” said Jason Pufahl, UConn’s chief information security officer.
Blumenthal asked Pufahl and Yale computer science professor Mike Fischer for input on what his multi-pronged bill should do to protect data privacy. They said it was an important issue for the federal government to address but said there is no one “silver bullet” to fix it.
“When I think in terms of legislation I can’t think of a simple piece of legislation that would have that kind of a cure,” Fischer said.
Instead the bill will have to come at the problem from a number of different angles, they said.
It will have to address the current corporate culture, Fischer said. Many corporate employees aren’t taught to value and protect the information as much as they should, he said.
He likened a corporate employee who takes personal data home to work on at his private computer and then loses the information to a power plant worker who takes home radioactive waste to work with in his basement.
“It’s a terrible breach of accepted standards and behavior,” he said.
Training and certification programs could alleviate the problem, he said. They should be taught to get rid of information that is no longer needed because less data equals less risk, he said.
Blumenthal agreed changing the corporate culture should be an important function of his bill.
“What I see very often in the reaction is once there is a data breach, ‘Oh well, so what? We lost the data that’s too bad. You really don’t want us to pay a penalty do you?’” he said.
Pufahl said the bill should also assign responsibility for those charged with safeguarding the data. If someone is held accountable for the data’s protection they will be more inclined to keep and collect less of it, he said. Companies should have clear policies regarding what data they collect, how they protect it and when the purge it, he said.
“Very often it’s ‘We collect it and keep it in perpetuity because… we may need it someday.’ That puts us in the position we’re in today,” he said.
Often institutions can lose track of where the data is or even forget they have it, he said. Finding it and cleaning it up is can be a monumental task, he said, using the university as an example.
UConn put policies in place years ago to stop collecting as much data, he said, but noted the university has a hugely distributed system any one of the school’s 30,000 computers could potentially have personal information on them.
Pufahl recommended the legislation allow a window for companies to come in to compliance and be constructed in a way were corporate workers can still get their jobs done.
If the bill is harshly and immediately penalizes a company to make an example of it it will discourage others from helping to find lost data, he said.
Perhaps the biggest task in the effort to protect data privacy is user awareness, Pufahl said. Increasingly, people voluntarily give up their locations, habits, and information on social networking sites and often don’t think twice about entering their social security number when prompted, he said.
Blumenthal said young people in particular seem to not value their privacy.
“They’re very cavalier often with the information they are willing to share,” he said.
After the talk Blumenthal said the fresh ideas will be useful as he tries to move the bill through the legislative process at the nation’s Capitol, which he said can be an “echo chamber.” He said he plans to introduce it when Congress meets again next month but invited suggestions to improve and expand it going forward.