On December 8, 2009, the U.S. House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill is similar in nature to multiple state breach notification laws that have already been passed. It includes the following:

H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number
(ii) Driver’s license number or other State identification number
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

Some more details of this bill include:

• The Federal Trade Commission would be the responsible enforcement agency.
• The FTC would ultimately define the proper technical procedures for protecting data.
• Organizations that have data need to establish a data security policy.
• Organizations must identify an information security officer.
• Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
• Organizations need a process for securely destroying data that is no longer required.
• Breaches need to be reported to the consumers affected, and the FTC, unless:
  • “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
  • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an exemption for data encryption. In addition, the FTC will define other exemptions if the bill become law. The FTC will also be tasked with posting data breaches on their website on a case-by-case basis if the FTC deems it is in the public interest.

This entry was posted on Friday, December 18th, 2009 at 12:24 am by Nancy Cremins and is filed under Laws. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.