House Panel Preps ID Theft Law

Republicans and Democrats have reached a compromise on
legislation mandating data brokers disclose to consumers certain unencrypted
breaches of their personal information.

The accord comes almost five months after a subcommittee of the panel
approved the Data Accountability and Trust Act (DATA Act) over the strenuous
objections of Democrats who argued the legislation lacked any real teeth.

In the original version of the bill, the public disclosure trigger was based
on a company’s evaluation that a “significant risk” of identity theft
existed with the breach. Democrats contended under that standard that breach
disclosures would be few and far between.

In the compromise version, that threshold is lowered to a “reasonable” risk
of identity theft.

“Identity theft ruins lives, and this bill … strikes a blow for consumers,”
Rep. John D. Dingell (D-Mich.) said in a statement. “It focuses on strong
security systems, notice to consumers of breaches and tough enforcement.”

In November, Dingell, the ranking Democrat on the committee, was highly
critical of the original bill, asking, “Why bother to pass a bill at all, if
this is what we propose to do to the American public?”

The amended legislation narrows the definition of data brokers to only those
companies that sell non-customer data to non-affiliated third parties.
Companies in compliance with the Fair Credit Reporting Act, Gramm-Leach
Bliley Act or the Health Insurance Portability and Accountability Act
(HIPPA) would be deemed in compliance with the DATA Act.

The bill also requires data brokers to establish “reasonable” procedures to
verify the accuracy of the information they collect and calls for the
brokers to “regularly” monitor security systems for breaches.

It also provides for a Federal Trade Commission (FTC) or independent audit
of a data broker’s security practice following a breach. The FTC could
require annual audits for a period of five years after the breach.

“Under current law, anyone has a near-perfect right to package your personal
information and do almost anything they want with it,” Energy and Commerce
Chairman Joe Barton (R-Texas) said.

“They can change it, share it, rent it or
sell it. The constraints are so flimsy they’re laughable. Our goal in
developing this legislation is to encourage a culture of strong data
security.”

The entire Energy and Commerce Committee may vote on the bill as early as
Wednesday.