Today the House Energy and Commerce Committee had a unanimous 41-0 vote in favor of H.R. 4127, the Data Accountability and Trust Act. Let’s walk through the major portions of this bill; it:
- Requires "each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information."
- Requires the policies and procedures to cover the collection, use, sale, other dissemination, and maintenance personal information.
- Requires the identification of an officer with responsibility for the management of information security.
- Requires a process for identifying and assessing "any reasonably foreseeable vulnerabilities in the system" that contains personal information.
- Requires a process for taking preventive and corrective action to mitigate against any vulnerabilities "which may include encryption of such data, implementing any changes to security practices and the architecture, installation, or implementation of network or operating software."
- Requires information brokers to annually submit their information security policies to the FTC.
- Requires the FTC to perform audits of information brokers who have experienced a breach.
- Requires information brokers to allow individuals to view their corresponding information and to communicate on their website how indiiduals can accomplish this.
- Requires information brokers to maintain documentation for when individuals dispute the accuracy of their information.
- Requires "any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information" following a security breach to:
(1) notify U.S. citizens "whose personal information was acquired by an unauthorized person as a result of such a breach of security" of the breach
(2) notify the FTC;
(3) place a conspicuous notice about the breach on their website
(4) in the case of a breach of financial account information of a merchant, notify the financial institution when financial account information is breached.
- Requires notifications to "be made as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system."
- Allows for either written or email notification (if the individual has consented to receive notification via email).
- Requires the content of the direct notification to include "(i) a description of the personal information that was acquired by an unauthorized person; (ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the security breach or the information the person maintained about that individual; (iii) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and (iv) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft."
- Allows for substitute notification in lieu of direct notification if the direct notification will be "(i) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission" or "(ii) lack of sufficient contact information for the individual required to be notified."
- Require the content of substitute notification to be "in print and broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside. Such notification shall include a telephone number where an individual can, at no cost to such individual, learn whether or not that individual’s personal information is included in the security breach."
- Requires the FTC to establish the criteria for substitute notification and general guidance for compliance with the law within 270 days after the law is enacted.
- Requires the person required to give notification to provide consumer credit reports to each impacted individual, at no cost to the individuals, consumer credit reports from at least one of the "major credit reporting agencies beginning not later than 2 months following a breach of security and continuing on a quarterly basis for a period of 2 years thereafter."
- Requires the FTC to post a notice of each reported security breach in a conspicuous location on the FTC website.
It is important to know the definitions of key terms within this bill; they follow:
"(1) BREACH OF SECURITY- The term `breach of security’ means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.
(2) COMMISSION- The term `Commission’ means the Federal Trade Commission.
(3) DATA IN ELECTRONIC FORM- The term `data in electronic form’ means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
(4) ENCRYPTION- The term `encryption’ means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.
(5) IDENTITY THEFT- The term `identity theft’ means the unauthorized assumption of another person’s identity for the purpose of engaging in commercial transactions under the name of such other person.
(6) INFORMATION BROKER- The term `information broker’ means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not customers of such entity for the sale or transmission of such information or the provision of access to such information to any third party, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.
(7) PERSONAL INFORMATION-
(A) DEFINITION- The term `personal information’ means an individual’s first and last name in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number or other State identification number.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
(B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule, modify the definition of `personal information’ under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.
(8) PERSON- The term `person’ has the same meaning given such term in section 551(2) of title 5, United States Code."
Also important to note are the ways in which this law would preempt the state level laws:
"(a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly–
(1) requires information security practices and treatment of personal information similar to any of those required under section 2; and
(2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of their personal information.
(b) Additional Preemption-
(1) IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.
(2) PROTECTION OF CONSUMER PROTECTION LAWS- This subsection shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State.
(c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of–
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate to acts of fraud."
The law would take effect 1 year after enactment, and, interestingly, cease to be in effect 10 years from the date of enactment.
There is so much to say and discuss about this bill. It is certainly getting closer to including the types of data protection requirements found in non-U.S. laws.
However, some general comments about this bill…
- It is great there a data protection (privacy) law finally being proposed that would be applicable to all businesses
- Would help support the establishment of formal information security positions and programs in all industries/businesses
- Why are data brokers the only businesses required to allow individuals to see their corresponding information that the business posssesses? Probably to avoid what the lawmakers would view as an undue-burden on all businesses. However, healthcare and financial organizations already must allow for this.
- Requiring breach notification when personal information "has been acquired" could be a huge potential loophole…what does acquired mean? This could be debatable, even with the provided definitions…it can mean many things depending on who is arguing for or against it.
- Limiting notification to only "each individual of the U.S." is curious; organizations would be unwise not to treat all their customers equally with regard to notification no matter where they are located.
- It will be interesting to see what the FTC determines is "excessive cost" for direct notification.
- Very importantly, if data is strongly encrypted and the encryption is managed appropriately, then the breach would not need to be reported. More reason for organizations to use encryption…it’s a great security tool! This also helps to ensure notices are truly only given when there is real risk to the electronic data.
- The bill only covers eletronic data. Too bad; many incidents have occurred with printed documents.
- Notice this bill would preempt the state level breach notification laws.
- I don’t know why the law would cease to be in effect 10 years after enactment; why is this? Will there no longer be personal information breaches in 10 years for some reason the general public does not know about? Very curious indeed…
identity theft bill
Data Accountability and Trust Act
House Energy and Commerce Committee