Congress took another stab
today at data security legislation just as data breaches have risen to the top of the news cycle.
The House Commerce Committee approved legislation requiring data brokers to
notify consumers when there is a “reasonable” risk the breach could result
in identity theft.
Encrypted data, according to the legislation, would establish a “presumption
that no reasonable risk of identity theft, fraud or other unlawful conduct
exists following a breach of security.”
Through parliamentary maneuvering, the bill’s language is almost identical
to the legislation previously approved by the Commerce Committee in March.
If approved by the full House, The Data Accountability and Trust Act (DATA)
would require data brokers to notify consumers in writing or by e-mail with
a description of the personal information exposed to potential identity
theft.
Currently, there is no federal law requiring data brokers to disclose
breaches to the public. A California law and subsequent legislation by other
states has forced data brokers to begin disclosing their breaches.
“We’re very pleased with [the bill]. It’s not perfect, but it’s a workable
solution,” Susanna Montezemolo of the Consumers Union said.
The bill defines data brokers as companies that sell non-customer data to
non-affiliated third parties.
Other companies holding personal data under the jurisdiction of the Fair
Credit Reporting Act, Gramm-Leach Bliley Act (GLBA) or the Health Insurance
Portability and Accountability Act (HIPAA) are not subject to the
legislation.
The DATA Act would also require data brokers to establish and implement
information security practices. Part of that process calls for data brokers
to identify any “reasonably foreseeable vulnerabilities” in their data
collection and storage systems.
Since data broker ChoicePoint was forced last year by the California law to
disclose that
an ID theft ring gained access to the company’s vital credit information,
other public notice of data breaches across the country have proliferated.
Most recently, the Veterans Administration (VA) admitted 26.5 million personal records of veterans had been stolen. The VA said an
employee violated agency policy by taking a taking a laptop with the records
on it home.
The laptop was subsequently stolen in a home burglary.
After the ChoicePoint disclosure, Congress initially vowed swift action to
protect consumers, but legislation has bogged down in both the House and the
Senate.
A competing bill to the Commerce Committee’s legislation, for instance, only
requires data brokers to investigate breaches. If the data broker decides
there is no reasonable risk of identity theft, no notification for consumers
is required.
The House Republican leadership will have to decide which bill to bring for
a vote.
The Senate faces the same dilemma, where two separate committees have
already passed differing data breach bills.
“What happens next is unclear,” Montezemolo said.
With mid-term elections coming this fall and data breaches a hot button
issue for voters, Congress is likely to pass some form of legislation to
regulate data brokers and to require notification of breaches.
What, though, remains a major question.
“The art of legislation is compromise,” Montezemolo said.