Legislation forcing data brokers to disclose security breaches to the
public passed the U.S. House Energy and Commerce Committee today on a 41-0
vote.
The Data Accountability and Trust Act (DATA) would place new requirements on
data brokers such as ChoicePoint to notify the public if there is a
“reasonable risk” of identity theft associated with a data breach.
The data
brokers would also be required to implement effective security safeguards to
protect collected data.
Currently, there is no federal law requiring data brokers to disclose
breaches to the public. A California law has prompted the disclosures of
high-profile breaches over the last two years.
The bill now moves to the full House for an as yet unscheduled vote.
H.R. 4127 narrows the
definition of data brokers to only those companies that sell non-customer
data to non-affiliated third parties. Companies in compliance with the Fair
Credit Reporting Act, Gramm-Leach Bliley Act (GLBA) or the Health Insurance
Portability and Accountability Act (HIPPA) would be deemed in compliance
with the DATA Act.
The bill “sends a clear message: ‘If you can’t protect it, don’t collect
it,'” Rep. John Dingell (D-Mich.) said in a statement.
Energy and Commerce Committee Chairman Joe Barton (R-Texas) added, “Nobody
needs to be left in the dark when their data has been compromised by a
crook.”
Barton noted that financial data collected under the Fair Credit Reporting
Act and federal measures have benefited from security protections for many
years.
“But criminals can cause harm with other sensitive personal information that
many companies have, and it is time for a federal standard which protects
that information,” Barton said.
The bill directs the Federal Trade Commission (FTC) to establish “rigorous”
national standards for data brokers to protect the personal information of
consumers and requires that data brokers have a security policy in place
that explains the “collection, use, sale, other dissemination and security”
of the data they hold.
The legislation also requires data brokers to appoint and identify a person
in the organization responsible for security.
“This is legislation that consumers deserve if we are to help them and our
economy defeat the growing menace of identity theft,” bill sponsor Cliff
Stearns (R-Fla.) said.
The FTC testified earlier this year that during a one-year period, estimated
losses from ID theft translated into $48 billion for businesses and $5
billion to consumers.
“The privacy of millions of Americans has been put on the line by
information brokers and businesses with lax safeguards. It is easy to be a
data burglar in the Digital Age when a person’s Social Security number,
home address and credit history are available at the click of a button,”
Rep. Jan Schakowsky (D-Ill.) stated.
In addition to notifying individuals of a data breach of their confidential
information, the bill also requires data brokers to post “conspicuous”
notice on their Web sites in the event of a breach.
Data brokers that experience a breach would be subject to FTC or
independent audits for a period of five years after the breach.
“This bill puts up a firewall that will make it more difficult for data
thieves to break through, protecting consumers from identity theft and
fraud,” Schakowsky said.