Any hope of a U.S. House data-breach disclosure law this year fizzled away
Thursday in the face of opposition from Democrats who contend the
legislation lacks enforcement teeth.
The Data Accountability and Trust Act narrowly passed a subcommittee vote in
November, but was pulled from a full committee vote Thursday by Energy and
Commerce Committee Chairman Joe Barton (R-Texas).
Barton said he reached the decision to delay the vote with committee ranking member John Dingell (D-Mich.) in order to give Republican
and Democratic negotiators more time to work out differences over the bill.
“Mr. Dingell and I agreed to put off consideration in order to finalize
agreements that have been reached in negotiations with the majority and
minority,” Barton said. “It is the intention of the chair [Barton] to
consider the data-protection privacy bill as soon as possible … but it likely
won’t happen until sometime in 2006.”
Dingell said a some of the differences over the bill have been worked out
since the subcommittee vote, but enforcement issues are still unresolved.
“We are all in agreement that we need tough enforcement that will deter
violations of the act,” he said. “This bill is designed to provide important
rights to consumers when their confidential information is compromised. But
rights are meaningless without enforcement.”
As approved in November, the bill requires data brokers to disclose to
consumers any unencrypted breaches of their personal data. The bill would
also preempt all state data-breach laws.
“I … cannot support preemption of stronger state laws,” Dingell said at the
November subcommittee meeting. “Why bother to pass a bill at all, if this is
what we propose to do to the American public?”
Democrats also objected to a last-minute change in the bill’s language that
eliminates a provision allowing consumers to review the personal information
maintained on them by data brokers.
The 109th Congress opened against a backdrop of highly publicized data
breaches at companies such as ChoicePoint and LexisNexis.
The ChoicePoint breach resulted in 145,000 consumers having their personal
data exposed to possible identity theft while LexisNexis admitted to at
least 300,000 possible compromises of customer data.
The breaches only came to light because of a newly enacted California law
that requires data brokers to inform consumers of data breaches.
In both the Senate and the House, there was an immediate call for national
action to protect consumers. Almost a year later, however, neither chamber
has passed any data-breach disclosure law.
The Senate Commerce Committee approved the Identity Theft Protection Act in
July, but the full Senate has yet to vote on the legislation.
The bill requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a “reasonable risk” of identity theft involved in the breach.
The House bill defines a data breach as the unauthorized acquisition of
personal information that establishes a “reasonable basis” to conclude that
there is a “significant risk” of identity theft.
For purposes of disclosure, the bill defines identity theft as “assuming
another person’s identity for the purpose of engaging in commercial
transactions.”
