Consumer data security bill passes out of House committee
- By William Jackson
- Mar 31, 2006
A House committee this week unanimously approved a data security law that would establish federal standards for protecting personal information and would supersede state laws.
The Data Accountability and Trust Act, (HR 4127)
, is one of a spate of bills introduced last year in the wake of publicity about the theft or loss of data that could lead to identity theft. The incidents came to light as a result of state laws requiring consumer notification of security breaches and spurred a consumer demand for tighter regulation.
Data brokers and other companies subject to multiple state laws also have called for a single federal law.
The DATA Act is one of the first bills to move out of committee. It was approved Wednesday by a 41 to 0 vote in the House Energy and Commerce Committee.
The bill would require the Federal Trade Commission to establish security requirements for interstate businesses holding personal information in an electronic form. Requirements include creating security policies, naming a point person for information security and the use of state-of-the-art security practices.
Data brokers receive additional attention under the bill. They would be required to submit their policies to FTC, and the commission would perform annual security audits of any broker for up to five years after a data breach.
Any company experiencing a data breach would have to notify potential victims of identity theft 'if there is a reasonable basis to conclude that there is a significant risk of identity theft.'
Data encryption is the only technology specified in the bill, and adequate encryption could exempt a company from the need to notify victims.
'The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that such reasonable basis exists,' the bill says.
The bill would let businesses delay notification while breaches were being investigated. Although state attorneys general could bring suit under the law, it would supersede more than 30 state laws now in force.
At least four other House bills and six Senate bills addressing personal data security and notification are pending in committees. Nearly all of them provide for FTC enforcement. One bill, the Personal Data Privacy and Security Act (S 1789) would appropriate $25 million a year for grants to state and local government for enforcement, and the Consumer Identity Protection Act (S 1336) provides for private civil actions against companies that violate the act.
William Jackson is a Maryland-based freelance writer.