Yesterday, for the first time ever, a data breach notification bill actually came to a vote in the United States Congress. The House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill and others have been introduced many times over the past several sessions of Congress, but unlike other similar bills and this bills’ predecessors, H.R. 2221 not only came out of committee, but was voted on and passed.
This bill is similar in nature to multiple state breach notification laws that have already been passed. Here are some highlights:
H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
- (i) Social Security number
- (ii) Driver’s license number or other State identification number
- (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”
Some more details include:
- The Federal Trade Commission would be the responsible agency.
- The FTC would ultimately define the proper technical procedures for protecting data.
- Organizations that have data need to establish a data security policy.
- Organizations must identify an information security officer.
- Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
- Organizations need a process for securely destroying data that is no longer required.
- Breaches need to be reported to the consumers affected, and the FTC, unless:
- “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
- The organization experiencing the breach does not fall under the jurisdiction of the FTC.
The jurisdiction point is significant. The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities. These limitations seem significant.
The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an encryption exemption (in addition to whatever exemptions the FTC will define) should the bill become law. The FTC would also be tasked with posting breaches on their website if the commission deems it in the public interest on a case-by-case basis.
There are several other interesting subtleties in this bill, and we encourage anyone interested to read the bill themselves. The law has some gaping holes, such as FTC jurisdiction, and may preempt stronger state laws. On the flip side, it would certainly add some degree of consistency for organizations experiencing breaches, and would simplify compliance as a result. It also would provide notification for consumers in states without breach notification laws. For these reasons and many more, it behooves everyone to familiarize yourselves with this particular proposed legislation.
Updated (12-10-2009): See Incidents that may have been exempt from this bill were it law at the time of the incidents.
Finally, below is a clip of the bill being explained in the House, and subsequently passing by voice vote: