Tuesday, November 29, 2005

Specter - Leahy Privacy Bill - Notification

Selected excerpts from the Specter-Leahy privacy bill pending in Congress, regarding notification:

Personal Data Privacy and Security Act of 2005 (Reported in Senate)


(a) In General- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach of such information notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.

(b) Obligation of Owner or Licensee-

(1) NOTICE TO OWNER OR LICENSEE- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information.

(2) NOTICE BY OWNER, LICENSEE OR OTHER DESIGNATED THIRD PARTY- Nothing in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a).

(3) BUSINESS ENTITY RELIEVED FROM GIVING NOTICE- A business entity obligated to give notice under subsection (a) shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification.

(c) Timeliness of Notification-

(1) IN GENERAL- All notifications required under this section shall be made without unreasonable delay following the discovery by the agency or business entity of a security breach.

(2) REASONABLE DELAY- Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data system and provide notice to law enforcement when required.

(3) BURDEN OF PROOF- The agency, business entity, owner, or licensee required to provide notification under this section shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the necessity of any delay.

(d) Delay of Notification Authorized for Law Enforcement Purposes-

(1) IN GENERAL- If a Federal law enforcement agency determines that the notification required under this section would impede a criminal investigation, such notification shall be delayed upon written notice from such Federal law enforcement agency to the agency or business entity that experienced the breach.

(2) EXTENDED DELAY OF NOTIFICATION- If the notification required under subsection (a) is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement delay was invoked unless a Federal law enforcement agency provides written notification that further delay is necessary.

(3) LAW ENFORCEMENT IMMUNITY- No cause of action shall lie in any court against any law enforcement agency for acts relating to the delay of notification for law enforcement purposes under this Act.


(a) Exemption for National Security and Law Enforcement-

(1) IN GENERAL- Section 321 shall not apply to an agency if the agency certifies, in writing, that notification of the security breach as required by section 321 reasonably could be expected to--

(A) cause damage to the national security; or

(B) hinder a law enforcement investigation or the ability of the agency to conduct law enforcement investigations.

(2) LIMITS ON CERTIFICATIONS- An agency may not execute a certification under paragraph (1) to--

(A) conceal violations of law, inefficiency, or administrative error;

(B) prevent embarrassment to a business entity, organization, or agency; or

(C) restrain competition.

(3) NOTICE- In every case in which an agency issues a certification under paragraph (1), the certification, accompanied by a description of the factual basis for the certification, shall be immediately provided to the United States Secret Service.

(b) Safe Harbor- An agency or business entity will be exempt from the notice requirements under section 321, if--

(1) a risk assessment concludes that there is no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach;

(2) without unreasonable delay, but not later than 45 days after the discovery of a security breach, unless extended by the United States Secret Service, the agency or business entity notifies the United States Secret Service, in writing, of--

(A) the results of the risk assessment; and

(B) its decision to invoke the risk assessment exemption; and

(3) the United States Secret Service does not indicate, in writing, within 10 days from receipt of the decision, that notice should be given.

(c) Financial Fraud Prevention Exemption-

(1) IN GENERAL- A business entity will be exempt from the notice requirement under section 321 if the business entity utilizes or participates in a security program that--

(A) is designed to block the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and

(B) provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.

(2) LIMITATION- The exemption by this subsection does not apply if the information subject to the security breach includes sensitive personally identifiable information in addition to the sensitive personally identifiable information identified in section 3.

Tuesday, November 15, 2005

More ChoicePoint Breaches

According to a new statement ChoicePoint filed with the Securities and Exchange Commission ChoicePoint has sent notices to another 17,000 notices people informing them that their data may have been accessed in a security breach.

ChoicePoint is looking into the breach and may send more notices.

Monday, November 14, 2005

Alito and the Right to Privacy, Part 4

According to an article in "The Washington Times," Judge Alito at one time felt that Roe v. Wade was wrongly decided.

In 1985, while applying for a job with the Justice Department, he wrote that he believed that the "the Constitution does not protect a right to an abortion."    

He also wrote "I personally believe very strongly" in that position. According to the newspaper, Alito wrote on this on an application to become deputy assistant to Attorney General Edwin I. Meese III.

Apparently the document is being released from the the Ronald Reagan Presidential Library.

He also wrote: "It has been an honor and source of personal satisfaction for me to serve in the office of the Solicitor General during President Reagan's administration and to help to advance legal positions in which I personally believe very strongly."

"I am particularly proud of my contributions in recent cases in which the government has argued in the Supreme Court that racial and ethnic quotas should not be allowed and that the Constitution does not protect a right to an abortion."

Friday, November 11, 2005

Microsoft Backs Privacy Law

Microsoft, eBay, and Hewlett Packard have come out in favor of a federal privacy law.

Thursday called for a broad US law to protect consumer privacy and a top Republican lawmaker said he planned to push such a bill next year, amid heightened consumer concerns about identity theft and online fraud.

"This is the time, this is the place, we believe, for the government to adopt privacy legislation on a national basis," said Microsoft General Counsel Brad Smith said at a Congressional event on Thursday.

Microsoft wants a federal law to pre-empt state privacy laws. They say that there are too many different state laws to comply with.

"It's the patchwork of state laws that is causing a lot of heartburn, not any one individual law," said Microsoft's Brad Smith.

Friday, November 04, 2005

Alito and the Right to Privacy, Part 3

According to news reports, Alito told Democratic Senator Richard Durbin that he believes the U.S. Constitution guarantees a right to privacy.

"I think he believes in that fundamental right,'' Durbin is reported as saying. Durbin also said that Judge Alito did not say if he would apply that right in the case of woman's right to an abortion.

While Democratic Senator Ben Nelson said he agreed with a dissenting opinion by Judge Alito in which he wrote that states can require a married woman to notify her husband before getting an abortion, Richard Durbin said that Judge Alito told him that that dissent "was a tough decision'' to write.

"He spent more time worrying over, and working on, that dissent than any other'' opinion he ever wrote, I was glad to hear that," Durbin said.

Wednesday, November 02, 2005

Alito and the Right to Privacy, Part 2

Transcript of Arlen Specter's statements regarding Samuel Alito and a Constitutitonal right to privacy

Monday, Oct. 31


I met for about an hour and a quarter this morning with Judge Samuel Alito, whom I have known for the better part of two decades. We talked about a wide variety of issues which will come before the Judiciary Committee during his hearings.

I start with his statement that he believes there is a RIGHT TO PRIVACY Under the LIBERTY CLAUSE of the United States Constitution. And he believes that the right applied to singles as well as married under the interpretation of Griswold v. Connecticut. And he says that he accepts Griswold v. Connecticut as GOOD LAW.

We talked a considerable extent about the value of precedence or stare decisis, to let the decision stand, which is a key factor, as you all know, on evaluating Roe.

I raised with him a question about super precedents, which we took up in the hearings for Judge Roberts -- Chief Justice Roberts -- and the super-duper precedents which I added in on the basis of some 38 cases where the Supreme Court has had an opportunity to overrule Roe and has not done so.

There was an interesting article in the New York Times yesterday about where super precedents are going and super-duper precedents are going, and Judge Alito did not endorse super precedents or super-duper precedents, but did say that he viewed it as a sliding scale, and that the longer a decision was in effect and the more times that it had been reaffirmed by different courts, different justices appointed by different presidents, it had extra precedential value.


SPECTER: And I think he is entitled to an opportunity to be heard and not to have people condemn or criticize when there's obviously an insufficient basis for doing so.

He has the dissent in the Court of Appeals for the 3rd Circuit on Casey v. Planned Parenthood, on the NARROW grounds already publicized, upholding the Pennsylvania legislative determination to require notice to a husband -- a very NARROW ruling, VERY CAREFULLY CRAFTED on the basis of Justice O'Connor's decisions in previous cases about what would constitute an undue burden for the woman.

He joined in a decision striking down a partial birth abortion statute from New Jersey. That was in the context where it had been decided by the Supreme Court, but that was his decision.

[ EDIT ]

QUESTION: How central will the dissenting opinion in the Casey case be in the decision-making process going forward? And do you think his opinions on abortion are clear at this point, as some groups are suggesting?

SPECTER: How important will his dissent in Casey will be?

I think it will be a factor. His dissent in Casey does not signify disagreement with Roe v. Wade. The joint opinion by the Supreme Court of the United States in Casey upheld Roe but permitted certain limitations on parental notification, on a waiting period.

SPECTER: And this was one of quite a number of limitations which the Pennsylvania legislature had imposed, but still consistent with upholding Roe v. Wade. So there's nothing in his dissent which suggests disagreement with the underlying decision in Roe v. Wade. But I'm sure it'll be a subject of discussion at the hearings.

[ EDIT ]

QUESTION: How did Judge Alito's comments about super precedents and super-duper precedents differ from Judge Roberts'?

SPECTER: Well, Judge Alito said a little more than Judge Roberts said. But, then, Judge Roberts ducked super precedents and he ducked super-duper precedents.

And in the informal meeting I had with him, I asked him a pop quiz. I said: In how many cases do you think the Supreme Court has had a chance to overrule Roe v. Wade?

And he guessed something in the teens. And he was surprised to hear that there were 38. But that was one of many questions which Chief Justice Roberts successfully declined to answer.

QUESTION: Well, may I ask it this way, then: With your conversation with Judge Alito today, would you say he was far off or close to where Judge Roberts ended up on the super and super-duper precedent question asked in the hearing?

SPECTER: (inaudible) if you want to rephrase the question to Chief Justice Roberts (inaudible) gotten an answer and I'll give you an answer.

I think he went farther than Roberts went when he said that -- he used the term "sliding scale" and said that when a case has been reaffirmed many times, it has extra -- I think he said "weight" -- as a precedent, reaffirmed by different courts, nominees appointed by different presidents.


QUESTION: You discussed Griswold. Did you also discuss Lawrence v. Texas, and the precedential value of Lawrence v. Texas?

SPECTER: I didn't take up that case specifically. We met, as I said, for about an hour and a quarter and didn't take up all the questions I'll have to ask him.

QUESTION: You discussed Griswold. Did you discuss Eisenstadt with him as well? And do you see any possibility of getting a confirmation hearing in December?

SPECTER: I discussed the issue of the contraceptive issue applying singles, as well as marriage in Griswold. And Eisenstadt was not specifically mentioned, but the subject matter was.