Smith: The carrot-and-stick approach

Federal agencies should reward companies that ensure the privacy of consumer data

As recently evidenced by the Federal Trade Commission’s record-setting fine against ChoicePoint, the federal government is getting serious about holding businesses responsible for the protection of consumer information. In addition to the actions taken by FTC and other governing bodies, several members of Congress have introduced bills designed to protect consumers from identity theft and other types of fraud. Several of those bills seek to restrict or regulate the use of personally identifiable information such as credit card numbers, customer records and Social Security numbers.

One bill in particular — the Personal Data Privacy and Security Act — has support from Republican and Democratic senators and may soon come to a vote on the Senate floor. Sometimes referred to as the Specter-Leahy bill, the act focuses on data brokers and other organizations that own, use or license personally identifiable information. It would impose new standards for data security and heavy penalties for noncompliance.

First, the stick. The Specter-Leahy bill would require all affected organizations to implement a personal data privacy and security program designed to ensure the privacy, security and confidentiality of personal electronic records. The bill would take a cue from a California bellwether law by requiring organizations to contact authorities and affected individuals in the event of a security breach involving sensitive personal information.

If passed, the bill would have a profound effect on how government agencies award contracts to data brokers and other information service providers. The General Services Administration and all federal agencies would have to audit the security practices of data brokers before awarding them large contracts. Furthermore, the bill states that penalties for noncompliance must be written into contracts to ensure ongoing compliance after they have been awarded. Sponsors of the Specter-Leahy bill point to the ChoicePoint debacle as a prime example of why such rules are necessary.

“The ChoicePoint breach highlights a dangerous vulnerability in the information economy — the inadequate screening of the customers who are buying personal information,” said Sen. Patrick Leahy (D-Vt.).

However, some critics point out that the bill would pre-empt state notification laws such as California SB-1386 — the Database Security Breach Notification Act — and that it will not apply to organizations already covered by existing regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).

But here’s the catch. If the Specter-Leahy bill passes into law, data brokers and other consumer information traffickers must implement higher standards of security if they want to win large contracts with federal agencies. That would be true even if they are a GLBA- or HIPAA-regulated organization that would not otherwise be subject to the rules proposed in the Specter-Leahy bill.

Now, the carrot. Regardless of its passage, the Specter-Leahy bill highlights the fact that federal agencies depend on information provided by data brokers to practice smart government and fulfill technology-driven initiatives such as the President’s Management Agenda.

By awarding large contracts only to companies that maintain effective privacy and security programs for personal data, the government can offer a clear incentive for industry to protect sensitive consumer information.

Smith is marketing vice president at GuardianEdge Technologies, which sells encryption technology for mobile devices.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group