Threat Management

Breach notification bill to get priority in House Judiciary Committee

The U.S. House of Representatives is unlikely to take up a tough identity theft law passed by the Senate last month before considering a broader measure proposed by the chairman of the House Judiciary Committee, a committee counsel told today.

While the House Judiciary Committee may hold a hearing on the subject of identity theft before the end of the year, it is not expected to vote this month on the Identity Theft Enforcement and Restitution Act of 2007, which would permit victims of identity theft to seek compensation and make it easier for federal prosecutors to target individuals deploying botnets, according to the counsel for Judiciary's Crime, Terrorism and Homeland Security subcommittee.

The counsel said the focus of the House committee hearing would be the Privacy and Cybercrime Enforcement Act of 2007, which was introduced by Judiciary Committee Chairman Rep. John Conyers, D.-Mich., last month, a few days before the Senate bill, co-sponsored by Sens. Patrick Leahy, D.-R.I., and Arlen Specter, R.-Pa., unanimously passed.

The Senate bill was referred to the House Judiciary Committee on Dec. 4.

The House bill would require companies to provide notice to the U.S. Secret Service or the FBI of major security breaches involving sensitive personally identifiable information. The legislation defines a major security breach as involving identification of 10,000 or more individuals, breaches of databases owned by the federal government, or breaches that reveal the identity of federal employees or contractors involved in national security and/or law enforcement.

The bill would impose a penalty of five years in prison for anyone failing to provide notification of a major breach, and it requires the Secret Service and FBI to publish breach notifications in the Federal Register.

The House bill is closely aligned with the Personal Data Privacy and Security Act of 2007, an earlier version of the Senate bill, which was introduced by Leahy and Specter in February but never acted on.

The bill approved by the Senate last month seeks to close a loophole in the current federal criminal law, which sets a $5,000 aggregate damage threshold for prosecuting unauthorized access to computers but does not facilitate prosecution of bot herders due to the minimal damage they inflict on individual computers. The current law forces prosecutors to identify the owners of zombie computers and tally the damage done to each.

The bill would eliminate that monetary threshold and sets the standard as damage affecting 10 or more computers, which should make it much easier to for prosecutors to target bot herders.

Another provision of the bill would permit prosecution of individuals who steal personal information from a computer located in the same state as the attacker's computer. Today, federal courts' jurisdiction extends only to attacks involving interstate or foreign communication.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.