RealTime IT News

House Tables Data-Breach Law Talk

Any hope of a U.S. House data-breach disclosure law this year fizzled away Thursday in the face of opposition from Democrats who contend the legislation lacks enforcement teeth.

The Data Accountability and Trust Act narrowly passed a subcommittee vote in November, but was pulled from a full committee vote Thursday by Energy and Commerce Committee Chairman Joe Barton (R-Texas).

Barton said he reached the decision to delay the vote with committee ranking member John Dingell (D-Mich.) in order to give Republican and Democratic negotiators more time to work out differences over the bill.

"Mr. Dingell and I agreed to put off consideration in order to finalize agreements that have been reached in negotiations with the majority and minority," Barton said. "It is the intention of the chair [Barton] to consider the data-protection privacy bill as soon as possible ... but it likely won't happen until sometime in 2006."

Dingell said a some of the differences over the bill have been worked out since the subcommittee vote, but enforcement issues are still unresolved.

"We are all in agreement that we need tough enforcement that will deter violations of the act," he said. "This bill is designed to provide important rights to consumers when their confidential information is compromised. But rights are meaningless without enforcement."

As approved in November, the bill requires data brokers to disclose to consumers any unencrypted breaches of their personal data. The bill would also preempt all state data-breach laws.

"I ... cannot support preemption of stronger state laws," Dingell said at the November subcommittee meeting. "Why bother to pass a bill at all, if this is what we propose to do to the American public?"

Democrats also objected to a last-minute change in the bill's language that eliminates a provision allowing consumers to review the personal information maintained on them by data brokers.

The 109th Congress opened against a backdrop of highly publicized data breaches at companies such as ChoicePoint and LexisNexis.

The ChoicePoint breach resulted in 145,000 consumers having their personal data exposed to possible identity theft while LexisNexis admitted to at least 300,000 possible compromises of customer data.

The breaches only came to light because of a newly enacted California law that requires data brokers to inform consumers of data breaches.

In both the Senate and the House, there was an immediate call for national action to protect consumers. Almost a year later, however, neither chamber has passed any data-breach disclosure law.

The Senate Commerce Committee approved the Identity Theft Protection Act in July, but the full Senate has yet to vote on the legislation.

The bill requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.

The House bill defines a data breach as the unauthorized acquisition of personal information that establishes a "reasonable basis" to conclude that there is a "significant risk" of identity theft.

For purposes of disclosure, the bill defines identity theft as "assuming another person's identity for the purpose of engaging in commercial transactions."