WASHINGTON — The U.S. Senate Commerce Committee passed legislation today requiring disclosure to consumers when sensitive personal data is breached or lost.
Approved on a voice vote, the Identity Theft Protection Act requires data brokers, government agencies and educational
institutions to disclose security breaches to consumers within 45 days if there is a “reasonable risk” of identity theft involved in the breach.
The evidence of possible identity theft includes
such factors as whether the data containing sensitive information is useable
by an unauthorized third party and whether the data is in the possession of an
unauthorized third party that is likely to commit identity theft.
Under the bill’s language, companies and other organizations are required to
develop, maintain and enforce a written program for the security of sensitive
information. Physical and technological safeguards will be mandated through
rules and regulations developed by the Federal Trade Commission (FTC).
Within a year of the passage of the bill, the FTC is required to develop
procedures for authenticating the credentials of any third party to which
sensitive personal information is to be transferred or sold by a data broker
or other organization.
For security breaches involving 1,000 or more consumers, the firms responsible
for the breaches must not only notify consumers but also the FTC. The agency,
in turn, will post a report of the breach on its Web site without disclosing
any sensitive personal data.
For breaches of fewer than 1,000 records that do not create a reasonable risk
of identity, the data broker must still notify the FTC.
Despite the objections of some in the technology community, the bill covers
both encrypted and unencrypted data.
In an amendment added Thursday, the bill also outlaws the selling, purchasing
or displaying of Social Security numbers. The Senate Judiciary Committee is
considering a similar measure as are various House committees drafting a
national data breach law.
“As a matter of law, Social Security numbers shouldn’t be available to buy and
sell,” Sen. Byron Dorgan (D-N.D.) said when introducing the amendment.
The bill also proposes to pre-empt state laws and prohibits private rights of
action by individuals. Identity theft victims, however, can put a freeze on
their credit reports.
Thursday’s vote comes after a series of high-profile data breaches put the issue on Congress’ radar. It first launched a series of hearings in the spring after the ChoicePoint and LexisNexis breaches made headlines. In those cases, consumers were notified of the breaches of their personal information only because of the new California disclosure law.
The Identity Theft Protection Act now goes to the full Senate for a vote, and it is likely there will be other amendments added to the legislation.