One of the most interesting things Scott mentioned today was the proposed Leahy-Spector Bill in congress that would regulate identity brokers and come into effect in June 2005.
– Enact a bevy of new regulations that cover “data brokers,” defined as business or non-profits “in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals.” Among the regulations: data brokers would have to allow consumers the chance to change their information, and as with a credit report, receive a copy of that information at their request.
— Require businesses not already covered by the Gramm-Leach-Bliley Act or HIPPA (Health Insurance Portability and Accountability Act of 1996) to create a data privacy and security program. That part of the Leahy-Specter bill also expands disclosure rules nationwide, and mandates that customers be informed of any security breach involving more than 10,000 people, or that revolved around a database with more than a million entries.
— Limit the ways that Social Security numbers can be used as account numbers. This section also bans the sale of Social Security numbers, one of the data bits sold to fraudsters by ChoicePoint in 2004 and disclosed in February 2005.
— And forces the General Services Administration (GSA) to review government contractors’ the privacy and security programs before awarding contracts. This last item came from the recent news that the Internet Revenue Service had awarded a $20 million contract to ChoicePoint.
These new potential regulations have implications for the folks working on DB/datasharing in the nonprofit sector. Any individual with a big mailing list might be responsible to comply. Small businesses will be affected.