ACM's Tech Policy Weblog

PASS ID Moves Forward in Congress

Wed, 25 Nov 2009 20:55:34 +0000

PASS ID, S. 1261, is a bill introduced in June as an attempt to break through the impasse over REAL ID. That law, passed as part of a budget bill in 2005, was intended to tighten the security of drivers’ licenses and state-issued identification cards to combat terrorism. The USACM Issue Brief on REAL ID reviews our concerns with the legislation, which we argue is badly designed and introduces too many risks to the security and privacy of personal information to be effective. There have been several problems in implementing the bill, not the least of which is the actions of several states to pass resolutions or laws stating they will not implement the law.

PASS ID tries to address some of the security and privacy concerns over REAL ID, as well as reducing the costs for states to comply with the bill. Reviewing the legislation, it becomes clear that a lot of the work to improve REAL ID through the rulemaking process (for which USACM submitted comments), as well as the good comments that were not included in the final regulations, are absent from PASS ID. For instance, there is now the possibility that insecure RFID chips could be used in a PASS ID, something not possible under REAL ID regulations.

The changes introduced by Senator Lieberman to PASS ID are a mixed bag. Some provisions add measures intended to improve the privacy protections in the legislation and the oversight of PASS ID. Other changes would increase the trend toward establishing real-time database information sharing, raising concerns that PASS ID will be a de facto national identification card (concerns that are present for REAL ID as well).

It’s not clear how soon the Senate will consider PASS ID, and the House has yet to address the issue. Health care still dominates the legislative agenda, so it might not happen before the beginning of 2010. However, there are critical deadlines coming up before then for REAL ID, so there is some pressure to move the bill.

Hill Tech Happenings, Week of November 16

Mon, 16 Nov 2009 18:45:05 +0000

November 17

Hearing:

The Senate Judiciary Committee will hold a hearing on cybersecurity, with an emphasis on fighting terrorism and protecting privacy.
10 a.m., 226 Dirksen Building

November 18

Markup:

The House Science and Technology Committee will review pending legislation on cybersecurity research, development, and standards.
10 a.m., 2318 Rayburn Building

November 19

Hearing:

The Subcommittee on Communications, Technology and the Internet, and the Subcommittee on Commerce, Trade and Consumer Protection of the House Energy and Commerce Committee will meet on the collection and use of consumer information.
10 a.m., 2123 Rayburn Building

Senate Judiciary Committee Approves Data Security Bills

Fri, 06 Nov 2009 21:54:07 +0000

In a markup session yesterday, the Senate Judiciary Committee approved two bills on the protection of consumer data. S 1490, the Personal Data Privacy and Security Act of 2009, takes a number of steps to increase the penalties for identity theft and to require data brokers take additional measures to protect the information they handle. The additional steps start with implementing data privacy and security programs for databases with sensitive personal information. Data brokers would be required to disclose to an individual information that the broker has on that individual. Brokers must also maintain procedures for individuals to correct inaccuracies in this information. The bill also requires the Federal Trade Commission, the General Services Administration, and the U.S. Sentencing Commission make changes to their policies to reflect the standards and procedures described in this act. For example, the bill makes it a crime to intentionally or willfully conceal a security breach involving personal data.

The bill’s data breach notification provisions come from a separate bill the committee approved, S 139, the Data Breach Notification Act. Any federal agency or business entity that uses, accesses, or collects sensitive personally identifiable information must notify in the event of a data breach: any U.S. resident whose information was accessed or taken; and any third party that has access or control of that information. Under special circumstances other agencies would be notified as well. The Senate Judiciary Committee has approved data privacy and breach notification legislation before, and it failed to reach the Senate floor. With the number of records exposed by data breaches continuing to grow, it would be nice to see this legislation advance further in the process.

Hill Tech Happenings, Week of November 2

Mon, 02 Nov 2009 15:51:04 +0000

November 4

Markup:
The Technology and Innovation Subcommittee of the House Science and Technology Committee will review the Cybersecurity Coordination and Awareness Act, a piece of draft legislation.
10:30 a.m., 2318 Rayburn Building

November 5

Meeting:
The Senate Judiciary Committee will meet to consider nominations and pending legislation, including bills on data breach notification and data privacy.
10 a.m., 226 Dirksen Building