Data Accountability and Trust Act Introduced
- May 10, 2011
- by Bruce Hulme
On May 4, 2011, members of the Subcommittee on Commerce, Manufacturing, and Trade of the House Energy and Commerce Committee held a hearing on The Threat of Data Theft to American Consumers and heard two panels of witnesses. The committee, chaired by Rep. Mary Bono Mack [R-CA-45] heard testimony from the following:
- David Vladeck, FTC Director, Bureau of Consumer Protection
- Pablo Martinez, U.S. Secret Service, Deputy Special Agent in Charge, Criminal Investigative Division
- Justin Brookman, Director, Consumer Privacy Project, Center for Democracy and Technology
- Dr. Gene Spofford, Executive Director, Purdue University
A released May 2 Internal Memorandum from the Republican Committee Staff to the committee's members provides valuable background information on where this committee intends to focus regarding bills being considered to address data breaches. ISPLA recently commented on HR 1707, the Data Accountability and Trust Act introduced the day of the hearing by Rep. Bobby L. Rush [D-IL-1]. Representative Mary Bono Mack has indicated she will also introduce her own bill. The information below comes from documents released by the Subcommittee on Commerce, Manufacturing, and Trade, which in part covers the following:
Since the issue of data breaches became a common household term in 2005 when hackers gained access to 160,000 consumer records in the ChoicePoint data breach, American consumers have been inundated with reports of such data breaches on a regular basis. According to the Privacy Rights Clearinghouse, over 2,500 data breaches implicating nearly 600 million records have been made public since that time. In April 2011 alone, the Clearinghouse reported over 30 data breaches occurring at hospitals and medical provider offices; universities; insurance companies; airlines; technology companies; banks; and at the municipal, State, and Federal government levels. These breaches occurred via phishing, theft of computer or other devices, and hacking, impacting a minimum of 99 million records (a number of these breaches impacted an unknown number of records).
These records involve various pieces of information that can be used alone or in conjunction with other pieces of information to wreak havoc on a consumers financial well-being by using existing lines of credit or establishing new lines of credit, to gain unlawful access to bank accounts, to acquire jobs or government benefits for which they are otherwise not eligible, seek medical care, or use another's identification in a law enforcement situation. Data breaches often involve unauthorized access to a person's name, birth date, Social Security number, drivers license number, credit account numbers, financial account numbers, usernames, and passwords, or PIN numbers.
Whether the breach occurs inadvertently through the accidental release of information, in the offline world by the loss of a laptop or stolen records, or online via hacking, the results can be disastrous for consumers. The FTC estimates nearly 9 million Americans fall victim to identity theft annually, costing both consumers and businesses tens of billions of dollars each year. While the Identity Theft Resource Center reports that both the cost to consumers has fallen as has the number of hours lost in resolving identity thefts, consumers still lose hundreds of dollars out of pocket and spend dozens of hours on cleanup efforts.
In recent years, sophisticated and carefully orchestrated cyber attacks designed to obtain personal information about consumers, especially when it comes to their credit cards have become one of the fastest growing criminal enterprises here in the United States and across the world. The boldness of these attacks and the threat they present to unsuspecting Americans was underscored recently by massive data breaches at Epsilon and Sony. ISPLA reported previously on the ramifications of the Epsilon breach.
With 77 million accounts stolen including some 10 million credit card numbers the recent data breach involving Sonys PlayStation Network has the potential to become the Great Brinks Robbery of cyber attacks. And the take keeps going up.
While the FBI and Secret Service, along with other law enforcement agencies, work around the clock to try and crack this sensational case, we now learn that a second Sony online service was also compromised during the same time period. Computer hackers obtained access to personal information relating to an additional 25 million customer accounts. That's more than 100 million accounts now in jeopardy.
Like their customers, both Sony and Epsilon also hacked, are victims, too. However, they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy the chairwoman stated. We should take steps to embrace and protect it and that starts with robust cyber security.
As Chairman of this Subcommittee, Rep. Bono Mack also stated she was deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify before her hearing she found to be unacceptable.
While more than 40 States have individual data breach notification requirements, with the exception of notification requirements for breached health information, there is no Federal data breach notification law. As a result of the confusing and often overlapping or contrary patchwork of State notification laws, Rep. Cliff Stearns [R-FL-6] (the then-Chairman of the Subcommittee on Commerce, Trade, and Consumer Protection) introduced H.R. 4127, the Data Accountability and Trust Act (DATA) in the 109th Congress. The bill established (1) security requirements for entities holding personal information to protect against unauthorized access; (2) notification procedures to affected consumers upon a breach; and (3) special requirements for information brokers. It charged the FTC with enforcement. The Committee reported H.R. 4127 on a bipartisan basis but the bill did not proceed to the full House for a vote as a result of disagreements with other committees regarding jurisdiction that could not be resolved before the Congressional calendar expired.
In the 110th Congress, then-Chairman Bobby Rush [D-IL-1] re-introduced H.R. 4127 as H.R. 958 but the legislation received no Committee action. In the 111th Congress, Rep. Rush again reintroduced DATA as H.R. 2221, as amended from earlier versions (see Section-by-Section Analysis below). H.R. 2221 processed through the Committee on a bipartisan basis and passed the House by voice vote on December 8, 2009. As amended, H.R. 2221:
- Required entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.
- Required companies to notify consumers in the event of a breach of personally identifiable information that results in a reasonable risk of identity theft or fraud.
- Imposed special requirements on information brokers, those that compile and sell consumer data to third parties, including assuring the accuracy of their information, allowing consumer access to their records and the ability to correct inaccurate information.
- Superseded State data breach and notification laws but permitted enforcement by State Attorneys General with an aggregate cap on damages.
- Preempted similar State laws to create a uniform national standard for data security and breach notification.
- Mandated reasonable security practices for paper records containing personally identifiable information.
- Permitted an information broker to include intentionally false information in a database if used for fraud detection purposes and the information is identified as inaccurate.
- Allowed for a delay in breach notification for law enforcement or national security purposes.
- Added passport numbers and military ID numbers to the definition of personal information.
Chairman Mary Bono Mack intends to introduce a data security bill based on H.R. 2221 after receiving comments through Subcommittee oversight and a relevant stakeholder process. ISPLAs constituents will be represented regarding concerns with defining investigators as information brokers and restrictions placed on the recognized investigative tool of pretexting.
Written by Bruce Hulme, ISPLA Director of Government Affairs. To join ISPLA and support its proactive efforts in Washington, visit www.ISPLA.org.
If you would like to redistribute this article or any other content for your website, newsletter or other publication, e-mail [email protected] to find out how. And if you're interested in writing articles about the private investigation industry, PInow.com is always looking for guest writers to share their industry knowledge.
To learn more about becoming a member of PInow.com's trusted network of investigators, contact us online or call (888) 997-4669.