Data Retention Legislation Debated; Data Breach Legislation Stacking Up

Related Articles

• Why Even Stupid Criminals Can Still Cost You Lots of Money
• Network Forensics—Beyond Evidence to a New Platform that Empowers all Security Tools
• Can You Allow BYOD and Still Secure Business Data?

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

Last week the U.S. House of Representatives Committee on the Judiciary postponed the mark up of H.R. 1981 a bill that could require a broad range of entities to store for 18-months IP addresses they assign to their users. According to the Center for Democracy and Technology (CDT), the scope of H.R. 1981 is “vast, covering not only commercial ISPs but also any private companies and non-profits that give their employees Internet access; the bill as drafted could even include home users.”

One of the many opponents to the bill is the Free Market Coalition, that includes the Competitive Enterprise Institute, TechFreedom, and Americans for Tax Reform’s DigitalLiberty.net. The coalition submitted a letter to the committee yesterday stating that it believes “the broad data retention mandate would burden small businesses, hinder innovation, undermine cybersecurity, endanger free speech, harm Americans’ privacy and set a dangerous international precedent—all without appreciably advancing law enforcement objectives or benefiting criminal investigations.”

The bill’s title is Protecting Children from Internet Pornographers Act. The data retention requirement is to assist state and federal law enforcement officials with child pornography and other Internet investigations. Because of the goal of the bill, provisions intended to help prosecutors for the purposes of investigating child pornography, could also be used to prosecute any crime. For law enforcement a standard amount of time for data to be retained is considered an important piece of the bill, however the 18-month timeframe appears to be negotiable. As of today, the amount of time ISPs and others keep IP addresses varies widely, there is no “standard”.

The postponed markup began yesterday.

In her blog Erica Newland of CDT writes, “CDT voiced our strong opposition to data retention in any form and expressed additional, serious concerns about the bill’s expansive scope and confusing language. A proposed manager’s amendment that will be offered for markup on Wednesday [July 27] fixes some of the worst language in the bill, but it also creates new areas for concern. Even if the proposed amendment is adopted, H.R. 1981 will still create more problems than it will solve.” Newland lists some of those problems in her blog.

One re-occurring concern with storing the required data is data security. As we all know, data breaches this year have been fast, furious and frequent. Newland points out, “Required registration would itself be a privacy violation and a burden on expression, but it would also expose users to a greater risk of identity theft and impose significant costs on establishments now burdened with retaining—and, crucially, securing—such information for a year.”

Data breach legislation is of keen interest in Washington these days. While most every state has its own data breach notification laws, federally there are only limited circumstances in which consumer notification is required. There are at least four bills pending. Once again, CDT has done a good job of comparing the bills.

While there’s significant energy being put into data breach notification laws, it seems we should be looking at how to better collect and secure the data in the first place

As CDT points out in a recent article: “Ideally, legislation addressing data security and data breaches would be incorporated into broader, baseline consumer privacy legislation. If Congress elects to pursue data breach notification independently, however, it should take care not to weaken the notification regime currently in place at the state level.”

At the conclusion of the markup yesterday, some amendments were made including reducing the 18-month retention requirement to one year. Another important change is that the previously exempt wireless providers are now included.

In a statement issued yesterday, Judiciary Committee Chairman Lamar Smith wrote: “H.R. 1981 provides perhaps the narrowest type of data retention possible. The bill does not require the retention of any email or telephone content. It does not require the retention of numerous types of records. It only requires providers to retain a log of the Internet Protocol (IP) addresses they assign to their customers. H.R. 1981 has a singular, narrow focus—identifying a criminal suspect.”

Smith also further clarifies that the bill is directed toward “…only commercial providers, the amendment exempts from the mandate the Internet services, including Wi-Fi, offered by coffee shops, bookstores and hotels.”

The markup for H.R. 1981 is slated to continue through Friday.