RealTime IT News

House Panel Moves on Data Breach Bill

Congress took another stab today at data security legislation just as data breaches have risen to the top of the news cycle.

The House Commerce Committee approved legislation requiring data brokers to notify consumers when there is a "reasonable" risk the breach could result in identity theft.

Encrypted data, according to the legislation, would establish a "presumption that no reasonable risk of identity theft, fraud or other unlawful conduct exists following a breach of security."

Through parliamentary maneuvering, the bill's language is almost identical to the legislation previously approved by the Commerce Committee in March.

If approved by the full House, The Data Accountability and Trust Act (DATA) would require data brokers to notify consumers in writing or by e-mail with a description of the personal information exposed to potential identity theft.

Currently, there is no federal law requiring data brokers to disclose breaches to the public. A California law and subsequent legislation by other states has forced data brokers to begin disclosing their breaches.

"We're very pleased with [the bill]. It's not perfect, but it's a workable solution," Susanna Montezemolo of the Consumers Union said.

The bill defines data brokers as companies that sell non-customer data to non-affiliated third parties.

Other companies holding personal data under the jurisdiction of the Fair Credit Reporting Act, Gramm-Leach Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) are not subject to the legislation.

The DATA Act would also require data brokers to establish and implement information security practices. Part of that process calls for data brokers to identify any "reasonably foreseeable vulnerabilities" in their data collection and storage systems.

Since data broker ChoicePoint was forced last year by the California law to disclose that an ID theft ring gained access to the company's vital credit information, other public notice of data breaches across the country have proliferated.

Most recently, the Veterans Administration (VA) admitted 26.5 million personal records of veterans had been stolen. The VA said an employee violated agency policy by taking a taking a laptop with the records on it home.

The laptop was subsequently stolen in a home burglary.

After the ChoicePoint disclosure, Congress initially vowed swift action to protect consumers, but legislation has bogged down in both the House and the Senate.

A competing bill to the Commerce Committee's legislation, for instance, only requires data brokers to investigate breaches. If the data broker decides there is no reasonable risk of identity theft, no notification for consumers is required.

The House Republican leadership will have to decide which bill to bring for a vote.

The Senate faces the same dilemma, where two separate committees have already passed differing data breach bills.

"What happens next is unclear," Montezemolo said.

With mid-term elections coming this fall and data breaches a hot button issue for voters, Congress is likely to pass some form of legislation to regulate data brokers and to require notification of breaches.

What, though, remains a major question.

"The art of legislation is compromise," Montezemolo said.