DATA Act Approved to Combat ID Theft
WASHINGTON - An influential House subcommittee approved sweeping
legislation today to tackle the fastest-growing criminal enterprise in the
United States - identity theft.
On a vote of 13-8, the Energy and Commerce Committee's Subcommittee on
Commerce, Trade and Consumer Protection approved the Data Accountability and
Trust Act (DATA) or H.R. 4127. The bill has seven cosponsors, including House
Republican Conference Chairman Deborah Pryce, R-Ohio. U.S. Rep. Joe Barton,
R-Texas, said he expected to schedule a markup in the near future in the full
Energy and Commerce Committee.
"This bill sets strong national standards, provides for increased
oversight of information brokers, and creates a workable data security and
breach notification regime that provides incentives for technological solutions
to security issues that will benefit consumers and the nation's commercial
infrastructure alike," said U.S. Rep. Cliff Stearns, R-Fla., chairman of
the subcommittee and author of H.R. 4127.
The Federal Trade Commission (FTC) says that over a one-year period, nearly
10 million people had discovered that they were victims of identity theft.
Estimated losses translated into $48 billion for businesses and $5 billion to
consumers.
Subcommittee Democrats offered series of amendments that would have imposed
much greater burdens on private companies without offering any meaningful
increase in consumer protections. They were defeated on party-line votes.
One amendment would have changed the threshold, or "trigger," for
consumer notification. Doing so, Stearns argued, would drive up costs for
businesses and so inundate consumers with letters and e-mails that the warnings
would be meaningless. A majority of the subcommittee agreed and instead chose to
accept the recommendations of the FTC that such notices be required only when
there is a "significant risk" of identity theft.
Despite those disagreements, Barton expressed his hope that "we will
have a bipartisan bill by the time we reach full committee" and said he and
subcommittee Chairman Stearns will continue to work toward that goal.
As approved by the subcommittee, the DATA Act would:
- Direct the FTC to create rules requiring security for personal
information. The FTC would have to take into account the size, nature, and
scope of the person's activities, the current state of technology, and the
cost of implementing security procedures.
- Require entities to have a security policy that explains the
"collection, use, sale, other dissemination, and security" of the
data they hold.
- Require entities to appoint and identify a person in the organization that
is responsible for information security.
- Require any entity that experiences a breach of security to notify all
those in the United States whose information was acquired by an unauthorized
person as a result of the breach. Conspicuous notice on the breached
entity's Web site is also required. The FTC must also be notified.
- Define "breach of security" as the unauthorized acquisition of
personal information where it is reasonable to conclude there is significant
risk of identity theft.
- Provide for an FTC or independent audit of an information broker's
security practices following a breach of security. It permits the FTC to
conduct or require audits for a period of five years after the breach, or
until the commission determines security practices are in compliance with
the act and are adequate to prevent further breaches.
- Prohibit costly and disruptive lawsuits by preempting state breach
notification laws with private rights of action. It expressly preserves
state consumer protection laws, as well as state trespass, contract, tort,
and other state laws relating to fraud.
####
|