Sneak Peek of Proposed United States Privacy-Related Bills in 2005
(by Ullas Tharakan)
A sneak peek on the upcoming Encryption market which will domainate information security in the coming years. Number of new legislation is geared up to protect customer privacy will drive the organizations to implemented better and new controls. A snapshot of the new upcoming legislations in the US Market below -

H.R. 82, Social Security On-line Privacy Protection Act—Introduced 1/4/2005 by Rep. Rodney Frelinghuysen (NJ); prohibits an interactive computer service from disclosing to a third party an individual's Social Security number or related personally identifiable information without the individual's prior informed written consent. The bill also requires such service to permit an individual to revoke any consent at any time.

S. 29, Social Security Number Misuse Prevention Act—Introduced 1/24/2005 by Sen. Dianne Feinstein (CA); amends the Federal criminal code to prohibit the display, sale, or purchase of Social Security numbers without the affirmatively expressed consent of the individual, except in specified circumstances.

S. 116, Privacy Act of 2005—Introduced 1/24/2005 by Sen. Dianne Feinstein (CA); to require the consent of an individual prior to the sale and marketing of such individual's personally identifiable information, and for other purposes

S. 751, Notification of Risk to Personal Data Act—Introduced 4/11/2005 by Sen. Dianne Feinstein (CA); requires a business or government entity to notify an individual in writing or
email when it is believed that personal information has been compromised, with the exception of situations relating to criminal investigation or national security purposes.

S. 768, Comprehensive Identity Theft Prevention Act—Introduced 4/12/3005 by Sen. Charles Schumer (NY); creates a new Federal Trade Commission (FTC) office of identity theft to help victims restore their identities.

S. 1216, Financial Privacy Breach Notification Act of 2005—Introduced 6/9/2005 by Sen. Jon Corzine (NJ); amends GLBA to require a financial institution to promptly notify the following entities whenever a breach of personal information has occurred at such institution: each customer affected by such breach; certain consumer reporting agencies; and appropriate law enforcement agencies. Furthermore, it requires any person that maintains personal information for or on behalf of a financial institution to promptly notify the institution of any case in which such customer information has been breached.

S. 1326, Notification of Risk to Personal Data Act—Introduced 6/28/2005 by Sen. Jeff Sessions (AL); requires any entity that owns or licenses sensitive personal information to implement and maintain "reasonable" security and notification procedures and practices appropriate to the nature of the information; preempts any state laws which relate "in any way to electronic information security standards or notification."

S. 1332, Personal Data Privacy and Security Act of 2005—Introduced 6/29/2005 by Sen. Arlen Specter (PA) and Sen. Patrick Leahy (VT); deals with different issues relating to identity theft and security breaches, specifically providing security measures that require "business entities" that have information on more than 10,000 United States persons to adopt measures, commensurate with the sensitivity of the data and the size and complexity of the entities activities.

S. 1336, Consumer Identity Protection and Security Act—Introduced 6/29/2005 by Sen. Mark Pryor (AR); establishes procedures for the protection of consumers from misuse of, and unauthorized access to, sensitive personal information contained in private information files maintained by commercial entities engaged in, or affecting, interstate commerce.

S. 1408, Identity Theft Protection Act—Introduced 7/14/2005 by Sen. Gordon Smith (OR) and Sen. Bill Nelson (FL); strengthens data protection and safeguards, requires data breach notification, and further prevents identity theft.

Protecting Personal Information:
Gearing you towards the art of Compliance – Part 1
(Authored by Ullas O Tharakan)

With increase in network and computers, the information sharing and storing has become easy than ever. The sharing and storage medium could range from pocket PC’s to Cray Supercomputers. This has also let to induce malpractice based on data. Hence the government and corporate bodies world wide has tightened the framework with mandated data protection law. The core of data protection law is to present a framework to protect the personal information, which has a potential to offer mal practices.
This article explores the privacy concern and what’s going in the world to protect privacy information

News and Happenings

Each county has evolved with its own cyber law and has mandated data privacy grounds. The law is governed in terms of domestic movement of data i.e. within states versus within International boundaries.
Laws in different countries but do have similarities and to an extent differ minutely. Compliance becomes tricky for organizations that do business at international level.. For example a company doing business Europe and US needs to follow US and European union applicable guidelines while using the personal data. E.g. Telephone number generally not comes under the privacy law in US but in Europe – One has to take a written consent of the Employee before using it.

OECD (Organization for Economic Cooperation and Development was the first organization to issue guidelines for cross borders data flow. With the time the legislations are becoming strict with increased penalty for non compliance

The major challenges that span across the organization in terms of compliance related to Personal Identifier information are –

1)Definition of personal information across the organization
2)Origin of Personal information
3)Storage of Personal Information
4)Validation with respect to all the laws that are applicable
5)Who can access
6)Where can one access
7)Tracking Personal Information Flows
8)Keeping up with Laws and regulations


Defining Personal Identifier information – The identification can be governed by the Corporate Policy, information Policy, Laws and regulations. Below we will try to identify some of the stand set of the personal identifier information –




First Name or Initial ,Last Name , Video programming activity ,“Black Box” data , Social Security number , Email address , Personnel files ,GPS data , Payment history, Income , Military history , Criminal charges, convictions and court records , Merchandise and product order history , Financial transaction information , License and certificate numbers , Account numbers , Internet URLs , Device identifiers (for example, serial numbers) , Hospital dates of: birth, admission, discharge, death ,Geographic subdivisions smaller than a state (street address) , Health Plan beneficiary numbers , Medical records numbers , Fraud alerts, Service subscription history , Fax number , Telephone number , Employment history , Body identifier (for example, tattoos, scars) , Education records , Descriptive consumer listings , Customer relationships , Credit reports and credit scores , Credit card purchases , Loan or deposit balances , Credit card numbers , Vehicle identifiers (for example, license plate numbers) , Conversations (recorded or overheard) ,Voting history ,California ID numbers , Debit card numbers , Biometric identifiers (such as DNA, finger, iris, and voice prints) , Information concerning children , Biometric identifiers (for example, finger and voice prints) , Internet Protocol (IP) addresses , Any identifier the FTC determines permits the contacting of a specific individual , Medical care information (for example, organ donations, medications, disability info) , Unique identifiers that can be attributed to a specific individual , Full-face (and comparable), photographic images



I will continue this article in the next part…till then Happy reading