Privacy and security experts recently gathered by the International Association of Privacy Professionals (IAPP) to assess the impact on legislation in 2007 with a newly comprised Congress offered predictions that ranged from no action on privacy bills to passage of security breach legislation.
Last month's well-attended audio conference, Privacy, Security and the New Congress: What to Expect in 2007
, offered expert analysis from Lynn McNulty, director of government affairs, Information Security Certification Consortium (ISC)2; Peter P. Swire, CIPP, C. William O'Neill professor of law, Moritz College of Law of The Ohio State University; Stu Ingis, partner, Venable LLP; and Paul Martino, counsel, Alston & Bird.
Identifying incoming legislative leaders, the panel noted that key committee chairmanships would be the first and most notable change. U.S. Reps. John D. Dingell and John Conyers Jr., both Michigan Democrats, and U.S. Rep. Barney Frank (D-Mass.), incoming chairmen for the Energy & Commerce, Judiciary and Financial Services committees respectively; and Sens. Daniel K. Inouye (D-Hawaii), Christopher Dodd (D-Conn.), Patrick Leahy (D-Vt.), and Edward M. Kennedy (D-Mass.) chairing the Commerce, Banking, Judiciary, and Health, Education, Labor & Pensions (HELP) committees, represent significant shifts in perspective across the board.
While those leadership changes will bring about shifts in priorities, it is unclear whether privacy will rank high enough on the agenda – especially in the crucial year before the 2008 presidential election.
Swire said he expects privacy's immediate influence to be in healthcare, where privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA) have been all but ignored since the law went into effect four years ago. Health and Human Services is "0 for 20,000" on enforcement of possible HIPAA violations, Swire said, adding that he is "pretty confident there will be oversight [hearings] at some point on enforcement."
Swire added that until there is real enforcement, along with the threat of fines, and legal and other associated costs, the healthcare industry is unlikely to spend money to come into full compliance. He added that privacy would also help to shape law related to medical marketing, electronic health records and the development of a national information sharing network for healthcare.
The panel also predicted that the Democrats will play a more active – but not activist – role in financial services. Because of scandals involving financial practice and corporate governance, laws such as Gramm-Leach-Bliley and Sarbanes-Oxley, were not ignored like HIPAA, so a radical change in enforcement would be unlikely.
On marketing issues, consensus seemed to be that more education is needed before the new Congress could be expected to effectively address any potential areas of concern. Martino said that, while better tools for civil enforcement of threats such as phishing and spyware are needed, confusion reigns on Capitol Hill with regard to behavioral marketing, and overzealous attempts to legislatively address perceived threats could have unintended negative consequences. Bills designed to go after bad practices could, Martino warned, result in "compliance obligations aimed at good actors."
Federal treatment of broad-scope privacy issues, such as the Privacy Act, USA Patriot Act, Real ID and eGovernment initiatives, and National Security Agency and Foreign Intelligence Surveillance Act, are expected to draw greater attention from the Democrats, according to McNulty, who added that an electronic 2010 census, implemented with the use of wireless handheld devices, would force Congress to address many privacy and security issues.
The issue of overarching federal security breach notice law remained enigmatic. Characterized as a "mature debate," the panelists said they believe there will be new law by 2008, but whether the issue is part of an omnibus privacy bill or addressed separately remains to be seen. However, pressure for action will mount as Washington struggles with its own security management issues in the wake of the Veterans Administration breach and revelations of hundreds of lost IRS and Census Bureau laptop computers.
Swire also said that, as a lame duck Republican-led Congress pushes immunity for telecommunications service providers related to the ongoing and "heated" FISA debate, it is likely that the issue could be escalated to the Supreme Court creating a potential constitutional crisis.
The complete 90-minute audio conference, including predictions for the upcoming legislative session, more detailed discussions of pending privacy issues, and audience questions on subjects such as RFID, privacy's role in the 2008 presidential elections, national security, pretexting and more is available through the IAPP.