DATA Act Approved to Combat ID Theft WASHINGTON - An influential House subcommittee approved sweeping legislation today to tackle the fastest-growing criminal enterprise in the United States - identity theft. On a vote of 13-8, the Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection approved the Data Accountability and Trust Act (DATA) or H.R. 4127. The bill has seven cosponsors, including House Republican Conference Chairman Deborah Pryce, R-Ohio. U.S. Rep. Joe Barton, R-Texas, said he expected to schedule a markup in the near future in the full Energy and Commerce Committee. "This bill sets strong national standards, provides for increased oversight of information brokers, and creates a workable data security and breach notification regime that provides incentives for technological solutions to security issues that will benefit consumers and the nation's commercial infrastructure alike," said U.S. Rep. Cliff Stearns, R-Fla., chairman of the subcommittee and author of H.R. 4127. The Federal Trade Commission (FTC) says that over a one-year period, nearly 10 million people had discovered that they were victims of identity theft. Estimated losses translated into $48 billion for businesses and $5 billion to consumers. Subcommittee Democrats offered series of amendments that would have imposed much greater burdens on private companies without offering any meaningful increase in consumer protections. They were defeated on party-line votes. One amendment would have changed the threshold, or "trigger," for consumer notification. Doing so, Stearns argued, would drive up costs for businesses and so inundate consumers with letters and e-mails that the warnings would be meaningless. A majority of the subcommittee agreed and instead chose to accept the recommendations of the FTC that such notices be required only when there is a "significant risk" of identity theft. Despite those disagreements, Barton expressed his hope that "we will have a bipartisan bill by the time we reach full committee" and said he and subcommittee Chairman Stearns will continue to work toward that goal. As approved by the subcommittee, the DATA Act would: Direct the FTC to create rules requiring security for personal information. The FTC would have to take into account the size, nature, and scope of the person's activities, the current state of technology, and the cost of implementing security procedures. Require entities to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold. Require entities to appoint and identify a person in the organization that is responsible for information security. Require any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified. Define "breach of security" as the unauthorized acquisition of personal information where it is reasonable to conclude there is significant risk of identity theft. Provide for an FTC or independent audit of an information broker's security practices following a breach of security. It permits the FTC to conduct or require audits for a period of five years after the breach, or until the commission determines security practices are in compliance with the act and are adequate to prevent further breaches. Prohibit costly and disruptive lawsuits by preempting state breach notification laws with private rights of action. It expressly preserves state consumer protection laws, as well as state trespass, contract, tort, and other state laws relating to fraud. ####