WASHINGTON, DC -- U.S. Representative Jan Schakowsky,
ranking member on the Subcommittee on Commerce, Trade, and Consumer Protection,
today continued to lead efforts to pass legislation that would protect consumers
from identity theft and fraud. The Energy and Commerce Committee today
unanimously passed the DATA Act, which requires information brokers and
businesses to keep consumers’ information accurate and secure, and ensures that
consumers are notified if their information may have been subject to
unauthorized access.
Representative Schakowsky’s opening statement is below:
The DATA Act seeks to address one of most troubling revelations of the past year
and one of the biggest issues for consumers today: the lack of security and
regard for consumers’ personal information. I would like to thank you and
Chairman Stearns, for working with Ranking Member Dingell and me on the
Manager’s Amendment which would require companies to better secure consumers’
personal information and to notify them should their information be breached.
While not perfect, I believe that the Manager’s Amendment to the DATA Act helps
close the canyon-sized gaps in the law that put consumers at risk of identity
theft, fraud, and other crimes.
Since February 15, 2005 and the revelation that ChoicePoint had sold personal
records to con-artists, approximately 54 million notices have gone out to
consumers informing them that their personal information had not been adequately
protected and was breached. That’s over 915,000 notices per week – or over
130,000 per day – because of hacked computers, lost backup tapes, compromised
passwords, dishonest insiders, and lax online protections.
Notice went out because of strong laws in states like Illinois that require
consumers be contacted whenever their personal information has been compromised.
I am pleased that the Managers’ Amendment also requires nationwide notification
whenever consumers’ information is breached. The only exception in the DATA Act
is when it can be proved that a breach poses no reasonable risk of consumers
falling prey to identity theft, fraud or other unlawful acts. With the passage
of this Act, consumers nationwide will be able to make informed decisions about
how to proceed and protect themselves from becoming victims when their
information is breached.
I am also pleased that the Manager’s Amendment addresses potential
over-notification of consumers. Data insecurity is an epidemic. There have been
145 separate breaches in the last 13 months, 17 so far this month. Businesses
need to be more responsible with consumer information and held accountable when
they are not. The DATA Act security standards will prevent breaches of personal
information in the first place and consumers will therefore receive fewer
notices warning that their personal files could be in the hands of criminals.
The DATA Act’s inclusion of additional responsibilities for information brokers
– those who make their living selling consumers’ personal records – is also
vital to mitigating the risks that have been put on consumers in the Digital
Age. In particular, requiring data brokers to verify the accuracy of information
they gather will help ensure that consumers are not misrepresented. The
Manager’s Amendment also recognizes that it should be consumers’ right to access
and inspect their records in order to verify that the information filed under
their names is truly theirs and correct.
Another important feature of the DATA Act is the requirement that information
brokers keep an audit trail of files accessed. Not only will this provision help
catch the dishonest insiders taking home more than their paycheck, but it will
also speed up notification to consumers. ChoicePoint discovered its breach in
September of 2004, but did not send notices until February 2005 because its
staff had to recreate every search associated with the breach to determine who
the potential victims were. If an audit trail had already been in place, then
notice could have gone out much faster and consumers could have taken the steps
to protect themselves sooner after the breach.
Finally, I am pleased that we include a state attorney general enforcement
provision in the DATA Act. As you know, many states – like Illinois – are
already out there fighting to protect consumers from the negative effects of
data breaches. Keeping those cops on the street will ensure better enforcement
of this Act and offer better protections for consumers.
While I support the passage of the DATA Act, we still have work to do. A new
report by the Government Accountability Office has found that the Department of
Health and Human Services inadequately protects the personal information held on
Medicare and Medicaid recipients. I believe that it is our obligation to ensure
that government entities that fall under our committee’s jurisdiction are held
to the same level of accountability as private entities are under the DATA Act.
I hope my colleagues feel the same way and we can begin work on that soon. |