Smith: The carrot-and-stick approach

Federal agencies should reward companies that ensure the privacy of consumer data

As recently evidenced by the Federal Trade Commission’s record-setting fine against ChoicePoint, the federal government is getting serious about holding businesses responsible for the protection of consumer information. In addition to the actions taken by FTC and other governing bodies, several members of Congress have introduced bills designed to protect consumers from identity theft and other types of fraud. Several of those bills seek to restrict or regulate the use of personally identifiable information such as credit card numbers, customer records and Social Security numbers.

One bill in particular — the Personal Data Privacy and Security Act — has support from Republican and Democratic senators and may soon come to a vote on the Senate floor. Sometimes referred to as the Specter-Leahy bill, the act focuses on data brokers and other organizations that own, use or license personally identifiable information. It would impose new standards for data security and heavy penalties for noncompliance.

First, the stick. The Specter-Leahy bill would require all affected organizations to implement a personal data privacy and security program designed to ensure the privacy, security and confidentiality of personal electronic records. The bill would take a cue from a California bellwether law by requiring organizations to contact authorities and affected individuals in the event of a security breach involving sensitive personal information.

If passed, the bill would have a profound effect on how government agencies award contracts to data brokers and other information service providers. The General Services Administration and all federal agencies would have to audit the security practices of data brokers before awarding them large contracts. Furthermore, the bill states that penalties for noncompliance must be written into contracts to ensure ongoing compliance after they have been awarded. Sponsors of the Specter-Leahy bill point to the ChoicePoint debacle as a prime example of why such rules are necessary.

“The ChoicePoint breach highlights a dangerous vulnerability in the information economy — the inadequate screening of the customers who are buying personal information,” said Sen. Patrick Leahy (D-Vt.).

However, some critics point out that the bill would pre-empt state notification laws such as California SB-1386 — the Database Security Breach Notification Act — and that it will not apply to organizations already covered by existing regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).

But here’s the catch. If the Specter-Leahy bill passes into law, data brokers and other consumer information traffickers must implement higher standards of security if they want to win large contracts with federal agencies. That would be true even if they are a GLBA- or HIPAA-regulated organization that would not otherwise be subject to the rules proposed in the Specter-Leahy bill.

Now, the carrot. Regardless of its passage, the Specter-Leahy bill highlights the fact that federal agencies depend on information provided by data brokers to practice smart government and fulfill technology-driven initiatives such as the President’s Management Agenda.

By awarding large contracts only to companies that maintain effective privacy and security programs for personal data, the government can offer a clear incentive for industry to protect sensitive consumer information.

Smith is marketing vice president at GuardianEdge Technologies, which sells encryption technology for mobile devices.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected