BILL ENDORSED BY MICROSOFT AND BY ENTRUST

Washington, Nov 3, 2005 - "This bill will help ensure that personal data are accounted for, secured, and actively protected against breaches by empowering consumers and businesses to promote the notion that security sells," stated Rep. Cliff Stearns (R-FL), Chairman of the Commerce, Trade & Consumer Protection Subcommittee. "Given the alarming rate of data breaches and the resulting identify theft epidemic, consumers are understandably questioning the security of using the Internet for commercial transactions."

The Subcommittee today approved Stearns' legislation, H.R. 4127, the Data Accountability and Trust Act. H.R. 4127 does the following:

* Directs the Federal Trade Commission to promulgate rules requiring security for personal information that take into account the size, nature, and scope of the person's activities, the current state of technology, and the cost of implementing security procedures.

* Requires entities to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold.

* Requires entities to appoint and identify a person in the organization that is responsible for information security.

* Requires any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach.

* Defines "breach of security" as the unauthorized acquisition of personal information that establishes a reasonable basis to conclude that there is significant risk of identity theft. The robust encryption of data, combined with appropriate key safeguards, establishes a rebuttable presumption that no such reasonable basis exists.

* Provides for an FTC audit of an information broker's security practices following a breach of security.

* Prohibits any private rights of action under the Act and preempts State breach notification laws and State data-security laws. It expressly preserves State consumer protection laws, as well as State trespass, contract, tort, and other State laws to the extent that those laws relate to acts of fraud, generally.

The panel also approved Stearns' amendment to improve the bill. Explained Stearns, "My amendment improves an already strong national data security and breach notification bill that, for the first time, will provide nationwide protection against data breaches and empower consumers through notification to take control of the protection of their personal data." The amendment permits the FTC to require an information broker to hire an independent audit instead of requiring the FTC to do the audit at taxpayer expense, allows for consumer notice of a security breach by e-mail if the consumer has consented to such notification, and expands the definition of a security breach.

The legislation next goes to the full Energy & Commerce Committee for consideration. That has not yet been scheduled.