Saturday, April 01, 2006

Congressional committee sends data breach bill to House for vote

According to Techweb, the US Congress House Energy and Commerce Committee have unanimously approved HR 4127, the Data Accountability and Trust Act. This sends the bill to the full house for a vote (see: TechWeb News Privacy Groups Herald House Data Breach Bill)

Below is the full text of the bill, but I have a few observations first. (Remember, I am not a US lawyer, so I will happy accept corrections on my interpretation of the text):

  1. "Personal information" includes an individual's name in combination with other information, including your bank account number and PIN. This means that there would be no notification requirement if your credit card number or debit card number and PIN are disclosed without a name, even though financial harm can be done without the person's name.
  2. This law appears to apply to Canadian companies that have information about Americans, since they would likely be interpreted to be engaged in interstate commerce.
  3. This bill appears to mostly pre-empt existing or future state laws that have a similar purpose.
  4. Only state Attorneys General can sue under this law. I note that it does not pre-empt state tort law, so presumably consumers can sue for negligence connected to a breach?

Despite the above, both the Center for Democracy and Technology and the Privacy Rights Clearinghouse have urged that this bill be passed.

Without further ado, here's HR 4127:

    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the `Data Accountability and Trust Act (DATA)'.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

    (a) General Security Policies and Procedures-

      (1) REGULATIONS- Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations to require each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information that are consistent with--

        (A) the size of, and the nature, scope, and complexity of the activities engaged in by, such person;

        (B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and

        (C) the cost of implementing such safeguards.

      (2) REQUIREMENTS- Such regulations shall require the policies and procedures to include the following:

        (A) A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information.

        (B) The identification of an officer or other individual as the point of contact with responsibility for the management of information security.

        (C) A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system maintained by such person that contains such electronic data.

        (D) A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include encryption of such data, implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.

    (b) Special Requirements for Information Brokers-

      (1) SUBMISSION OF POLICIES TO THE FTC- The regulations promulgated under subsection (a) shall require information brokers to submit their security policies to the Commission on an annual basis.

      (2) POST-BREACH AUDIT- Following a breach of security of an information broker, the Commission shall conduct an audit of the information security practices of such information broker. The Commission may conduct additional audits, on an annual basis, for a maximum of 5 years following the breach of security or until the Commission determines that the security practices of the information broker are in compliance with the requirements of this section and are adequate to prevent further breaches of security.

      (3) INDIVIDUAL ACCESS TO PERSONAL INFORMATION-

        (A) ACCESS TO INFORMATION- Each information broker shall--

          (i) provide to each individual whose personal information it maintains, at the individual's request at least one time per year and at no cost to the individual, a means for such individual to review any personal information of the individual maintained by the information broker and any other information about the individual maintained by the information broker; and

          (ii) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under clause (i).

        (B) DISPUTED INFORMATION- Whenever an individual whose information the information broker maintains files a written request disputing the accuracy of any such information, unless there is reasonable grounds to believe such request is frivolous or irrelevant, the information broker shall clearly note in the database maintained by such information broker, and in any subsequent transmission of such information by such information broker, that such information is disputed by the individual to whom the information relates. Such note shall include either the individual's statement disputing the accuracy of such information or a clear and concise summary thereof.

SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.

    (a) Nationwide Notification- Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data--

      (1) notify each individual of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security;

      (2) notify the Commission;

      (3) place a conspicuous notice on the Internet website of the person (if such person maintains such a website), which shall include a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the security breach or the information the person maintained about that individual; and

      (4) in the case of a breach of financial account information of a merchant, notify the financial institution that issued the account.

    (b) Timeliness of Notification- All notifications required under subsection (a) shall be made as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

    (c) Method and Content of Notification-

      (1) DIRECT NOTIFICATION-

        (A) METHOD OF NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) shall be in compliance with such requirement if the person provides conspicuous and clearly identified notification by one of the following methods (provided the selected method can reasonably be expected to reach the intended individual):

          (i) Written notification.

          (ii) Email notification, if the individual has consented to receive such notification and the notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global Commerce Act (15 U.S.C. 7001).

        (B) CONTENT OF NOTIFICATION- Regardless of the method by which notification is provided to an individual under subparagraph (A), such notification shall include--

          (i) a description of the personal information that was acquired by an unauthorized person;

          (ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the security breach or the information the person maintained about that individual;

          (iii) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and

          (iv) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.

      (2) SUBSTITUTE NOTIFICATION-

        (A) CIRCUMSTANCES GIVING RISE TO SUBSTITUTE NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) may provide substitute notification in lieu of the direct notification required by paragraph (1) if such direct notification is not feasible due to--

          (i) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A); or

          (ii) lack of sufficient contact information for the individual required to be notified.

        (B) CONTENT OF SUBSTITUTE NOTIFICATION- Such substitute notification shall include notification in print and broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside. Such notification shall include a telephone number where an individual can, at no cost to such individual, learn whether or not that individual's personal information is included in the security breach.

      (3) FEDERAL TRADE COMMISSION REGULATIONS AND GUIDANCE-

        (A) REGULATIONS- Not later than 270 days after the date of enactment of this Act, the Commission shall, by regulation, establish criteria for determining the circumstances under which substitute notification may be provided under paragraph (2), including criteria for determining if notification under paragraph (1) is not feasible due to excessive cost to the person required to provide such notification relative to the resources of such person.

        (B) GUIDANCE- In addition, the Commission shall provide and publish general guidance with respect to compliance with this section. Such guidance shall include--

          (i) a description of written or email notification that complies with the requirements of paragraph (1); and

          (ii) guidance on the content of substitute notification under paragraph (2)(B), including the extent of notification to print and broadcast media that complies with the requirements of such paragraph.

    (d) Other Obligations Following Breach- A person required to provide notification under subsection (a) shall provide or arrange for the provision of, to each individual to whom notification is provided under subsection (c)(1) and at no cost to such individual, consumer credit reports from at least one of the major credit reporting agencies beginning not later than 2 months following a breach of security and continuing on a quarterly basis for a period of 2 years thereafter. The Commission shall, by regulation, provide alternative requirements under this subsection for persons who qualify to provide substitute notification under subsection (c)(2).

    (e) Website Notice of Federal Trade Commission- The Commission shall place, in a clear and conspicuous location on its Internet website, a notice of any breach of security that is reported to the Commission under subsection (a)(2).

SEC. 4. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    (a) Unfair or Deceptive Acts or Practices- A violation of section 2 or 3 shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

    (b) Powers of Commission- The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in that Act. Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.

SEC. 5. DEFINITIONS.

    In this Act the following definitions apply:

      (1) BREACH OF SECURITY- The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.

      (2) COMMISSION- The term `Commission' means the Federal Trade Commission.

      (3) DATA IN ELECTRONIC FORM- The term `data in electronic form' means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.

      (4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

      (5) IDENTITY THEFT- The term `identity theft' means the unauthorized assumption of another person's identity for the purpose of engaging in commercial transactions under the name of such other person.

      (6) INFORMATION BROKER- The term `information broker' means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not customers of such entity for the sale or transmission of such information or the provision of access to such information to any third party, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.

      (7) PERSONAL INFORMATION-

        (A) DEFINITION- The term `personal information' means an individual's first and last name in combination with any 1 or more of the following data elements for that individual:

          (i) Social Security number.

          (ii) Driver's license number or other State identification number.

          (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account.

        (B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule, modify the definition of `personal information' under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.

      (8) PERSON- The term `person' has the same meaning given such term in section 551(2) of title 5, United States Code.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly--

      (1) requires information security practices and treatment of personal information similar to any of those required under section 2; and

      (2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of their personal information.

    (b) Additional Preemption-

      (1) IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.

      (2) PROTECTION OF CONSUMER PROTECTION LAWS- This subsection shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State.

    (c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of--

      (1) State trespass, contract, or tort law; or

      (2) other State laws to the extent that those laws relate to acts of fraud.

SEC. 7. EFFECTIVE DATE AND SUNSET.

    (a) Effective Date- This Act shall take effect 1 year after the date of enactment of this Act.

    (b) Sunset- This Act shall cease to be in effect on the date that is 10 years from the date of enactment of this Act.

SEC. 8. AUTHORIZATION OF APPROPRIATIONS.

    There is authorized to be appropriated to the Commission $1,000,000 for each of fiscal years 2006 through 2010 to carry out this Act.

No comments: