RealTime IT News

House Panel Preps ID Theft Law

Republicans and Democrats have reached a compromise on legislation mandating data brokers disclose to consumers certain unencrypted breaches of their personal information.

The accord comes almost five months after a subcommittee of the panel approved the Data Accountability and Trust Act (DATA Act) over the strenuous objections of Democrats who argued the legislation lacked any real teeth.

In the original version of the bill, the public disclosure trigger was based on a company's evaluation that a "significant risk" of identity theft existed with the breach. Democrats contended under that standard that breach disclosures would be few and far between.

In the compromise version, that threshold is lowered to a "reasonable" risk of identity theft.

"Identity theft ruins lives, and this bill ... strikes a blow for consumers," Rep. John D. Dingell (D-Mich.) said in a statement. "It focuses on strong security systems, notice to consumers of breaches and tough enforcement."

In November, Dingell, the ranking Democrat on the committee, was highly critical of the original bill, asking, "Why bother to pass a bill at all, if this is what we propose to do to the American public?"

The amended legislation narrows the definition of data brokers to only those companies that sell non-customer data to non-affiliated third parties. Companies in compliance with the Fair Credit Reporting Act, Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act (HIPPA) would be deemed in compliance with the DATA Act.

The bill also requires data brokers to establish "reasonable" procedures to verify the accuracy of the information they collect and calls for the brokers to "regularly" monitor security systems for breaches.

It also provides for a Federal Trade Commission (FTC) or independent audit of a data broker's security practice following a breach. The FTC could require annual audits for a period of five years after the breach.

"Under current law, anyone has a near-perfect right to package your personal information and do almost anything they want with it," Energy and Commerce Chairman Joe Barton (R-Texas) said.

"They can change it, share it, rent it or sell it. The constraints are so flimsy they're laughable. Our goal in developing this legislation is to encourage a culture of strong data security."

The entire Energy and Commerce Committee may vote on the bill as early as Wednesday.