Internet privacy, data security discussed at Senate hearing

Witnesses testified before the U.S. Senate today largely supporting three Internet privacy and data security bills that have been proposed recently as a response to recent cyber security breaches.

The hearing before the Senate Committee on Commerce, Science, and Transportation addressed how entities collect, maintain, secure, and use information, and whether consumers are adequately protected under current laws.

Chairman John. D. Rockefeller IV cited recent attacks against Citigroup, Sony, and Epsilon as proof that companies are increasingly susceptible to data breaches.

Austin Schlick, general counsel for the Federal Communications Commission, said recent investigations by the FCC into data breaches have made clear the need for increased protection.

"We are not seeing cases that are close calls," he said. "We are seeing cases where companies are falling down on basic security procedures, sometimes ones implemented by their own company."

The hearing focused on three bills: the Commercial Privacy Bill of Rights of 2011, the Do-Not-Track Online Act, and the Data Security and Breach Notification Act of 2011.

Julie Brill, a commissioner of the Federal Trade Commission, supported the "Do-Not-Track" bill, which allows consumers to prohibit entities from releasing their personal data. She said consumers should have more choices about their privacy, and that entities should be more transparent about the data they collect.

"Most consumers are completely unaware about the data deluge being collected and sold about them both online and offline," Brill said.

A recent poll by Consumers Union, the not-for-profit publisher of Consumer Reports, found that two-thirds of consumers want the government to protect their privacy. Furthermore, 80 percent want the ability to opt out of Internet tracking from a single location.

Ioana Rusu, regulatory counsel for Consumers Union, said in her testimony that she supports the bills, but thinks the "Do-Not-Track" laws should address not just the use of consumers' data, but also the collection of it.

"Companies should not be permitted to amass vast quantities of information about individuals' behaviors and interests, without at least giving those individuals some notice and opportunity to opt out," she said.

One notable point of contention was the proposal of a national standard about how entities should notify consumers about data breaches. Tim Schaaff, president of Sony Network Entertainment International, said it's important for companies to investigate data breaches before notifying the public, otherwise vague information might be released.

Thomas Lenard, Ph.D., president and senior fellow for the Technology Policy Institute, also questioned the need for government standards for data security. He said companies already have enough incentive to protect themselves because data breaches are obviously financially harmful to them.

—Evan MacDonald