Senators push for privacy, data security legislation

Web users need to have more control over what personal information is collected, a senator says

Democratic members of a Senate committee promised Wednesday to push hard for new online privacy protections and for legislation that would require companies to put security monitoring tools on their networks.

It's time to stop online companies from collecting consumer data and using it to "their detriment," said Senator John "Jay" Rockefeller, chairman of the Senate Commerce, Science and Transportation Committee. "I want ordinary consumers to know what's being done with their personal information, and I want to give them the power to do something about that," he said during a hearing.

A series of recent data breaches at Sony's PlayStation Network, Citigroup and e-mail service provider Epsilon show the need for new regulations to help consumers control their personal information, said Rockefeller, a West Virginia Democrat.

Rockefeller called on the Senate to pass his Do-Not-Track Online Act, introduced in May, and the Data Security and Breach Notification Act, introduced by Rockefeller and Senator Mark Pryor, an Arkansas Democrat, on June 15.

The data security bill would require companies that have data breaches to notify affected customers, as more than 45 state laws now do. It would also require companies holding personal information to have security policies on the collection and use of the information, to have plans for identifying "reasonably foreseeable" vulnerabilities in their systems and to take corrective actions against the vulnerabilities.

The bill would also require companies to have a process for erasing personal data.

Basic security safeguards and breach notification are "a cost of doing business in the new world," Rockefeller said.

The do-not-track bill requires online companies to honor consumer requests to opt out of online tracking efforts. The bill would allow the U.S. Federal Trade Commission to take enforcement action against companies that fail to honor the do-not-track requests.

The goal of the do-no-track legislation is to make it easy for Web users to stop all companies from tracking them online, Rockefeller said. "One click, no information collected," he said.

A comprehensive approach to privacy and data security is needed, added Senator John Kerry, a Massachusetts Democrat. "What we're talking about today is the ability of people to have some impact on the way digital profiles about them are compiled, and then sliced and diced and traded in a marketplace," he said.

Kerry and Senator John McCain, an Arizona Republican, introduced the Commercial Privacy Bill of Rights Act in April. Their bill would require Web-based businesses that collect consumer information to give clear notice about the data collection and allow consumers to opt out.

There's a growing bipartisan call for privacy legislation, Kerry said.

But others at the hearing questioned the need for some privacy legislation. The Senate should consider data breach notification legislation, but there doesn't seem to be a consensus about the need for new privacy rules, said Senator Patrick Toomey, a Pennsylvania Republican. Toomey questioned whether consumers have been harmed by online data collection.

"We need to thoroughly examine this issue and make sure we don't apply a solution in search of a problem," Toomey said. "In a world where millions of people voluntarily share very personal information on websites like Facebook and Twitter on a daily basis, I'm not sure exactly what consumer expectations are when it comes to privacy, but I am pretty sure different consumers have different expectations."

New regulations could hurt Internet businesses and could reduce the number of free online services consumers get, Toomey added, echoing concerns from some Internet companies about do-not-track rules. "I urge that we proceed with caution," he said.

There have been few studies about the cost of new privacy rules, added Thomas Lenard, president of the Technology Policy Institute, a free-market think tank. A do-no-track rule could increase consumer annoyance by forcing websites to deliver them unwanted advertisements instead of ads targeted to their interests, he said.

Without new studies, there's no way to know whether the privacy proposals "will improve consumer welfare or not," he said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Federal Trade CommissionJohnMark Pryor: John KerryJohn McCainU.S. Senate CommercelegislationgovernmentTechnology Policy InstituteIdentity fraud / theftThomas LenardPatrick Toomeysecuritydata breach

More about BillEpsilon InteractiveFacebookFederal Trade CommissionIDGSonyTechnologyTransportationWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts