RealTime IT News

Data-Breach Disclosure Bill Passes House Panel

Legislation forcing data brokers to disclose security breaches to the public passed the U.S. House Energy and Commerce Committee today on a 41-0 vote.

The Data Accountability and Trust Act (DATA) would place new requirements on data brokers such as ChoicePoint to notify the public if there is a "reasonable risk" of identity theft associated with a data breach.

The data brokers would also be required to implement effective security safeguards to protect collected data.

Currently, there is no federal law requiring data brokers to disclose breaches to the public. A California law has prompted the disclosures of high-profile breaches over the last two years.

The bill now moves to the full House for an as yet unscheduled vote.

H.R. 4127 narrows the definition of data brokers to only those companies that sell non-customer data to non-affiliated third parties. Companies in compliance with the Fair Credit Reporting Act, Gramm-Leach Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPPA) would be deemed in compliance with the DATA Act.

The bill "sends a clear message: 'If you can't protect it, don't collect it,'" Rep. John Dingell (D-Mich.) said in a statement.

Energy and Commerce Committee Chairman Joe Barton (R-Texas) added, "Nobody needs to be left in the dark when their data has been compromised by a crook."

Barton noted that financial data collected under the Fair Credit Reporting Act and federal measures have benefited from security protections for many years.

"But criminals can cause harm with other sensitive personal information that many companies have, and it is time for a federal standard which protects that information," Barton said.

The bill directs the Federal Trade Commission (FTC) to establish "rigorous" national standards for data brokers to protect the personal information of consumers and requires that data brokers have a security policy in place that explains the "collection, use, sale, other dissemination and security" of the data they hold.

The legislation also requires data brokers to appoint and identify a person in the organization responsible for security.

"This is legislation that consumers deserve if we are to help them and our economy defeat the growing menace of identity theft," bill sponsor Cliff Stearns (R-Fla.) said.

The FTC testified earlier this year that during a one-year period, estimated losses from ID theft translated into $48 billion for businesses and $5 billion to consumers.

"The privacy of millions of Americans has been put on the line by information brokers and businesses with lax safeguards. It is easy to be a data burglar in the Digital Age when a person's Social Security number, home address and credit history are available at the click of a button," Rep. Jan Schakowsky (D-Ill.) stated.

In addition to notifying individuals of a data breach of their confidential information, the bill also requires data brokers to post "conspicuous" notice on their Web sites in the event of a breach.

Data brokers that experience a breach would be subject to FTC or independent audits for a period of five years after the breach.

"This bill puts up a firewall that will make it more difficult for data thieves to break through, protecting consumers from identity theft and fraud," Schakowsky said.