Data security bill seeks to tackle corporate blunders

Corporate data-security practices would be hit with an avalanche of new rules, and information thieves would face stiff new penalties under a far-reaching bill introduced on Wednesday in the US Senate.

The bill represents the most aggressive - and at 91 pages, the most regulatory - legislative proposal crafted so far in response to a slew of high-profile security breaches in the last few months.

Senator Patrick Leahy, a Vermont Democrat, said in a floor speech: "Reforms like these are long overdue. This issue and our legislation deserve to become a key part of this year's domestic agenda so that we can achieve some positive changes in areas that affect the everyday lives of Americans."

One portion of the bill, named the Personal Data Privacy and Security Act, restricts the sale or publication of Social Security numbers (SSNs). Also, businesses would be prohibited from requiring SSNs except in a narrow set of circumstances such as obtaining credit reports or when dealing with an applicant for a job or an apartment.

Leahy, who had hinted at his plans in a speech in March and had his personal information lost by Bank of America, is co-sponsoring the bill with Pennsylvania Senator Arlen Specter. Because Specter is the Republican chairman of the influential Judiciary committee, the measure could move swiftly through the normally torpid legislative process.

At a press conference in the Capitol building, Specter said: "This is an evolving problem that is gigantic." He predicted quick action because "we're not dealing with a highly controversial subject where there will be significant differences of opinion".

While portions of the proposal are sure to be criticised by businesses that would be faced with more paperwork and compliance requirements, Congress nevertheless seems eager to act. In speech after speech, politicians have pledged to enact more laws to respond to the data mishaps - promises that have occasionally raised eyebrows because many of the intrusions were already illegal.

Spurring politicians along has been series of security blunders involving firms including ChoicePoint - which claims to have fixed its problems - Bank of America, payroll provider PayMaxx, and Reed Elsevier Group's LexisNexis service. Other suggestions have included narrower measures to restrict the sale of SSNs or mandate notices of security breaches.

Declan McCullagh writes for CNET News.com