Consumer data security bill passes out of House committee

A House committee this week unanimously approved a data security law that would establish federal standards for protecting personal information and would supersede state laws.

The Data Accountability and Trust Act, (HR 4127), is one of a spate of bills introduced last year in the wake of publicity about the theft or loss of data that could lead to identity theft. The incidents came to light as a result of state laws requiring consumer notification of security breaches and spurred a consumer demand for tighter regulation.

Data brokers and other companies subject to multiple state laws also have called for a single federal law.

The DATA Act is one of the first bills to move out of committee. It was approved Wednesday by a 41 to 0 vote in the House Energy and Commerce Committee.

The bill would require the Federal Trade Commission to establish security requirements for interstate businesses holding personal information in an electronic form. Requirements include creating security policies, naming a point person for information security and the use of state-of-the-art security practices.

Data brokers receive additional attention under the bill. They would be required to submit their policies to FTC, and the commission would perform annual security audits of any broker for up to five years after a data breach.

Any company experiencing a data breach would have to notify potential victims of identity theft 'if there is a reasonable basis to conclude that there is a significant risk of identity theft.'

Data encryption is the only technology specified in the bill, and adequate encryption could exempt a company from the need to notify victims.

'The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that such reasonable basis exists,' the bill says.

The bill would let businesses delay notification while breaches were being investigated. Although state attorneys general could bring suit under the law, it would supersede more than 30 state laws now in force.

At least four other House bills and six Senate bills addressing personal data security and notification are pending in committees. Nearly all of them provide for FTC enforcement. One bill, the Personal Data Privacy and Security Act (S 1789) would appropriate $25 million a year for grants to state and local government for enforcement, and the Consumer Identity Protection Act (S 1336) provides for private civil actions against companies that violate the act.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • open doors to cloud (Sergey Nivens/Shutterstock.com)

    New vendors join FedRAMP Connect

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group