REQUIRES ENTITIES HANDLING PERSONAL INFORMATION TO ESTABLISH SECURITY POLICIES AND TO NOTIFY CONSUMERS OF BREACHES

Washington, Oct 25, 2005 - "We live in the information age and information is essential to conducting business and carrying on in our daily lives in the 21st century," said Rep. Cliff Stearns (R-FL), Chairman of the Commerce, Trade & Consumer Protection Subcommittee. "However, information is power, and in the wrong hands a tool for significant abuse. Ongoing incidents of data security breaches rightly undermine the public's faith that this personal information is protected. This bill addresses this concern and provides real protection for personal information."

Stearns today introduced H.R. 4127, the Data Accountability and Trust Act. Explained Stearns, "This bill requires entities holding personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data. Also, it requires notification to those individuals whose information has been revealed through a security breach. Special requirements are imposed on information brokers, those that compile and sell consumer data to third parties. In addition, it includes preemption of similar state laws to create a uniform national standard for data security and breach notification."

Rep. Joe Barton (R-TX), Chairman of the Energy & Commerce Committee, stated, "I have been troubled by security breaches this year at companies in a range of industries from data brokers to retail outlets. Time and again identity thieves raided or conned their way into an electronic storehouse that was supposed to be safe and secure. Identity theft is not much different than burglary, and more and more it looks like the crooks are walking into places where the doors and windows have been left open. Worse yet, months can pass before the identity theft victim even hears about it, and the damage may take years to repair."

Rep. Deborah Pryce (R-OH), Chair of the House Republican Conference, expressed her support for the bill. ""This is tremendous news for consumers and anyone concerned with the protection of their personal and financial information," said Pryce. "Identity theft continues to grow daily and protecting personal information will undoubtedly require a broad, comprehensive defense."

The major provisions are:
* Directs the Federal Trade Commission (FTC) to promulgate rules requiring security for personal information. It gives the FTC substantial guidance on the content of those rules, including that the Commission take into account the size, nature, and scope of the person's activities, the current state of technology, and the cost of implementing security procedures.
* Requires entities to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold.
* Requires entities to appoint and identify a person in the organization that is responsible for information security.
* Requires any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity's website is also required. The FTC, and any financial institution whose issued accounts may be affected, must also be notified.
* Defines "breach of security" as the unauthorized acquisition of personal information that establishes a reasonable basis to conclude that there is significant risk of identity theft. The robust encryption of data, combined with appropriate key safeguards, establishes a rebuttable presumption that no such reasonable basis exists.
* Provides for an FTC audit of an information broker's security practices following a breach of security. It permits the FTC to conduct an annual audit for a period of 5 years after the breach, or until the Commission determines security practices are in compliance with the Act and are adequate to prevent further breaches.
* Prohibits any private rights of action under the Act and preempts State breach notification laws and State laws. It expressly preserves State consumer protection laws, as well as State trespass, contract, tort, and other State laws to the extent that those laws relate to acts of fraud, generally.