Smith: The carrot-and-stick approach

Federal agencies should reward companies that ensure the privacy of consumer data

As recently evidenced by the Federal Trade Commission’s record-setting fine against ChoicePoint, the federal government is getting serious about holding businesses responsible for the protection of consumer information. In addition to the actions taken by FTC and other governing bodies, several members of Congress have introduced bills designed to protect consumers from identity theft and other types of fraud. Several of those bills seek to restrict or regulate the use of personally identifiable information such as credit card numbers, customer records and Social Security numbers.

One bill in particular — the Personal Data Privacy and Security Act — has support from Republican and Democratic senators and may soon come to a vote on the Senate floor. Sometimes referred to as the Specter-Leahy bill, the act focuses on data brokers and other organizations that own, use or license personally identifiable information. It would impose new standards for data security and heavy penalties for noncompliance.

First, the stick. The Specter-Leahy bill would require all affected organizations to implement a personal data privacy and security program designed to ensure the privacy, security and confidentiality of personal electronic records. The bill would take a cue from a California bellwether law by requiring organizations to contact authorities and affected individuals in the event of a security breach involving sensitive personal information.

If passed, the bill would have a profound effect on how government agencies award contracts to data brokers and other information service providers. The General Services Administration and all federal agencies would have to audit the security practices of data brokers before awarding them large contracts. Furthermore, the bill states that penalties for noncompliance must be written into contracts to ensure ongoing compliance after they have been awarded. Sponsors of the Specter-Leahy bill point to the ChoicePoint debacle as a prime example of why such rules are necessary.

“The ChoicePoint breach highlights a dangerous vulnerability in the information economy — the inadequate screening of the customers who are buying personal information,” said Sen. Patrick Leahy (D-Vt.).

However, some critics point out that the bill would pre-empt state notification laws such as California SB-1386 — the Database Security Breach Notification Act — and that it will not apply to organizations already covered by existing regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).

But here’s the catch. If the Specter-Leahy bill passes into law, data brokers and other consumer information traffickers must implement higher standards of security if they want to win large contracts with federal agencies. That would be true even if they are a GLBA- or HIPAA-regulated organization that would not otherwise be subject to the rules proposed in the Specter-Leahy bill.

Now, the carrot. Regardless of its passage, the Specter-Leahy bill highlights the fact that federal agencies depend on information provided by data brokers to practice smart government and fulfill technology-driven initiatives such as the President’s Management Agenda.

By awarding large contracts only to companies that maintain effective privacy and security programs for personal data, the government can offer a clear incentive for industry to protect sensitive consumer information.

Smith is marketing vice president at GuardianEdge Technologies, which sells encryption technology for mobile devices.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group