[House Report 111-362]
[From the U.S. Government Publishing Office]
111th Congress Report
HOUSE OF REPRESENTATIVES
1st Session 111-362
======================================================================
DATA ACCOUNTABILITY AND TRUST ACT
_______
December 8, 2009.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Waxman, from the Committee on Energy and Commerce, submitted the
following
R E P O R T
[To accompany H.R. 2221]
[Including cost estimate of the Congressional Budget Office]
The Committee on Energy and Commerce, to whom was referred
the bill (H.R. 2221) to protect consumers by requiring
reasonable security policies and procedures to protect
computerized data containing personal information, and to
provide for nationwide notice in the event of a security
breach, having considered the same, report favorably thereon
with amendments and recommend that the bill as amended do pass.
CONTENTS
Page
Amendment........................................................ 2
Purpose and Summary.............................................. 11
Background and Need for Legislation.............................. 11
Legislative History.............................................. 13
Committee Consideration.......................................... 13
Committee Votes.................................................. 13
Statement of Committee Oversight Findings and Recommendations.... 13
New Budget Authority, Entitlement Authority, and Tax Expenditures 14
Statement of General Performance Goals and Objectives............ 14
Constitutional Authority Statement............................... 14
Earmarks and Tax and Tariff Benefits............................. 14
Federal Advisory Committee Statement............................. 14
Applicability of Law to Legislative Branch....................... 14
Federal Mandates Statement....................................... 14
Committee Cost Estimate.......................................... 15
Congressional Budget Office Cost Estimate........................ 15
Section-by-Section Analysis of the Legislation................... 20
Explanation of Amendments........................................ 30
Changes in Existing Law Made by the Bill, as Reported............ 31
AMENDMENT
The amendments are as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Accountability and Trust Act''.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures.--
(1) Regulations.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require each person engaged in interstate commerce that owns
or possesses data containing personal information, or contracts
to have any third party entity maintain such data for such
person, to establish and implement policies and procedures
regarding information security practices for the treatment and
protection of personal information taking into consideration--
(A) the size of, and the nature, scope, and
complexity of the activities engaged in by, such
person;
(B) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(C) the cost of implementing such safeguards.
(2) Requirements.--Such regulations shall require the
policies and procedures to include the following:
(A) A security policy with respect to the collection,
use, sale, other dissemination, and maintenance of such
personal information.
(B) The identification of an officer or other
individual as the point of contact with responsibility
for the management of information security.
(C) A process for identifying and assessing any
reasonably foreseeable vulnerabilities in the system or
systems maintained by such person that contains such
data, which shall include regular monitoring for a
breach of security of such system or systems.
(D) A process for taking preventive and corrective
action to mitigate against any vulnerabilities
identified in the process required by subparagraph (C),
which may include implementing any changes to security
practices and the architecture, installation, or
implementation of network or operating software.
(E) A process for disposing of data in electronic
form containing personal information by shredding,
permanently erasing, or otherwise modifying the
personal information contained in such data to make
such personal information permanently unreadable or
undecipherable.
(F) A standard method or methods for the destruction
of paper documents and other non-electronic data
containing personal information.
(3) Treatment of entities governed by other law.--Any person
who is in compliance with any other Federal law that requires
such person to maintain standards and safeguards for
information security and protection of personal information
that, taken as a whole and as the Commission shall determine in
the rulemaking required under paragraph (1), provide
protections substantially similar to, or greater than, those
required under this subsection, shall be deemed to be in
compliance with this subsection.
(b) Special Requirements for Information Brokers.--
(1) Submission of policies to the ftc.--The regulations
promulgated under subsection (a) shall require each information
broker to submit its security policies to the Commission in
conjunction with a notification of a breach of security under
section 3 or upon request of the Commission.
(2) Post-breach audit.--For any information broker required
to provide notification under section 3, the Commission may
conduct audits of the information security practices of such
information broker, or require the information broker to
conduct independent audits of such practices (by an independent
auditor who has not audited such information broker's security
practices during the preceding 5 years).
(3) Accuracy of and individual access to personal
information.--
(A) Accuracy.--
(i) In general.--Each information broker
shall establish reasonable procedures to assure
the maximum possible accuracy of the personal
information it collects, assembles, or
maintains, and any other information it
collects, assembles, or maintains that
specifically identifies an individual, other
than information which merely identifies an
individual's name or address.
(ii) Limited exception for fraud databases.--
The requirement in clause (i) shall not prevent
the collection or maintenance of information
that may be inaccurate with respect to a
particular individual when that information is
being collected or maintained solely--
(I) for the purpose of indicating
whether there may be a discrepancy or
irregularity in the personal
information that is associated with an
individual; and
(II) to help identify, or
authenticate the identity of, an
individual, or to protect against or
investigate fraud or other unlawful
conduct.
(B) Consumer access to information.--
(i) Access.--Each information broker shall--
(I) provide to each individual whose
personal information it maintains, at
the individual's request at least 1
time per year and at no cost to the
individual, and after verifying the
identity of such individual, a means
for the individual to review any
personal information regarding such
individual maintained by the
information broker and any other
information maintained by the
information broker that specifically
identifies such individual, other than
information which merely identifies an
individual's name or address; and
(II) place a conspicuous notice on
its Internet website (if the
information broker maintains such a
website) instructing individuals how to
request access to the information
required to be provided under subclause
(I), and, as applicable, how to express
a preference with respect to the use of
personal information for marketing
purposes under clause (iii).
(ii) Disputed information.--Whenever an
individual whose information the information
broker maintains makes a written request
disputing the accuracy of any such information,
the information broker, after verifying the
identity of the individual making such request
and unless there are reasonable grounds to
believe such request is frivolous or
irrelevant, shall--
(I) correct any inaccuracy; or
(II)(aa) in the case of information
that is public record information,
inform the individual of the source of
the information, and, if reasonably
available, where a request for
correction may be directed and, if the
individual provides proof that the
public record has been corrected or
that the information broker was
reporting the information incorrectly,
correct the inaccuracy in the
information broker's records; or
(bb) in the case of information that
is non-public information, note the
information that is disputed, including
the individual's statement disputing
such information, and take reasonable
steps to independently verify such
information under the procedures
outlined in subparagraph (A) if such
information can be independently
verified.
(iii) Alternative procedure for certain
marketing information.--In accordance with
regulations issued under clause (v), an
information broker that maintains any
information described in clause (i) which is
used, shared, or sold by such information
broker for marketing purposes, may, in lieu of
complying with the access and dispute
requirements set forth in clauses (i) and (ii),
provide each individual whose information it
maintains with a reasonable means of expressing
a preference not to have his or her information
used for such purposes. If the individual
expresses such a preference, the information
broker may not use, share, or sell the
individual's information for marketing
purposes.
(iv) Limitations.--An information broker may
limit the access to information required under
subparagraph (B)(i)(I) and is not required to
provide notice to individuals as required under
subparagraph (B)(i)(II) in the following
circumstances:
(I) If access of the individual to
the information is limited by law or
legally recognized privilege.
(II) If the information is used for a
legitimate governmental or fraud
prevention purpose that would be
compromised by such access.
(III) If the information consists of
a published media record, unless that
record has been included in a report
about an individual shared with a third
party.
(v) Rulemaking.--Not later than 1 year after
the date of the enactment of this Act, the
Commission shall promulgate regulations under
section 553 of title 5, United States Code, to
carry out this paragraph and to facilitate the
purposes of this Act. In addition, the
Commission shall issue regulations, as
necessary, under section 553 of title 5, United
States Code, on the scope of the application of
the limitations in clause (iv), including any
additional circumstances in which an
information broker may limit access to
information under such clause that the
Commission determines to be appropriate.
(C) FCRA regulated persons.--Any information broker
who is engaged in activities subject to the Fair Credit
Reporting Act and who is in compliance with sections
609, 610, and 611 of such Act with respect to
information subject to such Act, shall be deemed to be
in compliance with this paragraph with respect to such
information.
(4) Requirement of audit log of accessed and transmitted
information.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require information brokers to establish measures which
facilitate the auditing or retracing of any internal or
external access to, or transmissions of, any data containing
personal information collected, assembled, or maintained by
such information broker.
(5) Prohibition on pretexting by information brokers.--
(A) Prohibition on obtaining personal information by
false pretenses.--It shall be unlawful for an
information broker to obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be
disclosed to any person, personal information or any
other information relating to any person by--
(i) making a false, fictitious, or fraudulent
statement or representation to any person; or
(ii) providing any document or other
information to any person that the information
broker knows or should know to be forged,
counterfeit, lost, stolen, or fraudulently
obtained, or to contain a false, fictitious, or
fraudulent statement or representation.
(B) Prohibition on solicitation to obtain personal
information under false pretenses.--It shall be
unlawful for an information broker to request a person
to obtain personal information or any other information
relating to any other person, if the information broker
knew or should have known that the person to whom such
a request is made will obtain or attempt to obtain such
information in the manner described in subparagraph
(A).
(c) Exemption for Certain Service Providers.--Nothing in this section
shall apply to a service provider for any electronic communication by a
third party that is transmitted, routed, or stored in intermediate or
transient storage by such service provider.
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Nationwide Notification.--Any person engaged in interstate
commerce that owns or possesses data in electronic form containing
personal information shall, following the discovery of a breach of
security of the system maintained by such person that contains such
data--
(1) notify each individual who is a citizen or resident of
the United States whose personal information was acquired or
accessed as a result of such a breach of security; and
(2) notify the Commission.
(b) Special Notification Requirements.--
(1) Third party agents.--In the event of a breach of security
by any third party entity that has been contracted to maintain
or process data in electronic form containing personal
information on behalf of any other person who owns or possesses
such data, such third party entity shall be required to notify
such person of the breach of security. Upon receiving such
notification from such third party, such person shall provide
the notification required under subsection (a).
(2) Service providers.--If a service provider becomes aware
of a breach of security of data in electronic form containing
personal information that is owned or possessed by another
person that connects to or uses a system or network provided by
the service provider for the purpose of transmitting, routing,
or providing intermediate or transient storage of such data,
such service provider shall be required to notify of such a
breach of security only the person who initiated such
connection, transmission, routing, or storage if such person
can be reasonably identified. Upon receiving such notification
from a service provider, such person shall provide the
notification required under subsection (a).
(3) Coordination of notification with credit reporting
agencies.--If a person is required to provide notification to
more than 5,000 individuals under subsection (a)(1), the person
shall also notify the major credit reporting agencies that
compile and maintain files on consumers on a nationwide basis,
of the timing and distribution of the notices. Such notice
shall be given to the credit reporting agencies without
unreasonable delay and, if it will not delay notice to the
affected individuals, prior to the distribution of notices to
the affected individuals.
(c) Timeliness of Notification.--
(1) In general.--Unless subject to a delay authorized under
paragraph (2), a notification required under subsection (a)
shall be made not later than 60 days following the discovery of
a breach of security, unless the person providing notice can
show that providing notice within such a time frame is not
feasible due to extraordinary circumstances necessary to
prevent further breach or unauthorized disclosures, and
reasonably restore the integrity of the data system, in which
case such notification shall be made as promptly as possible.
(2) Delay of notification authorized for law enforcement or
national security purposes.--
(A) Law enforcement.--If a Federal, State, or local
law enforcement agency determines that the notification
required under this section would impede a civil or
criminal investigation, such notification shall be
delayed upon the written request of the law enforcement
agency for 30 days or such lesser period of time which
the law enforcement agency determines is reasonably
necessary and requests in writing. A law enforcement
agency may, by a subsequent written request, revoke
such delay or extend the period of time set forth in
the original request made under this paragraph if
further delay is necessary.
(B) National security.--If a Federal national
security agency or homeland security agency determines
that the notification required under this section would
threaten national or homeland security, such
notification may be delayed for a period of time which
the national security agency or homeland security
agency determines is reasonably necessary and requests
in writing. A Federal national security agency or
homeland security agency may revoke such delay or
extend the period of time set forth in the original
request made under this paragraph by a subsequent
written request if further delay is necessary.
(d) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A person required to
provide notification to individuals under subsection
(a)(1) shall be in compliance with such requirement if
the person provides conspicuous and clearly identified
notification by one of the following methods (provided
the selected method can reasonably be expected to reach
the intended individual):
(i) Written notification.
(ii) Notification by email or other
electronic means , if--
(I) the person's primary method of
communication with the individual is by
email or such other electronic means;
or
(II) the individual has consented to
receive such notification and the
notification is provided in a manner
that is consistent with the provisions
permitting electronic transmission of
notices under section 101 of the
Electronic Signatures in Global
Commerce Act (15 U.S.C. 7001).
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A), such notification
shall include--
(i) a description of the personal information
that was acquired or accessed by an
unauthorized person;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the person to inquire about the breach
of security or the information the person
maintained about that individual;
(iii) notice that the individual is entitled
to receive, at no cost to such individual,
consumer credit reports on a quarterly basis
for a period of 2 years, or credit monitoring
or other service that enables consumers to
detect the misuse of their personal information
for a period of 2 years, and instructions to
the individual on requesting such reports or
service from the person, except when the only
information which has been the subject of the
security breach is the individual's first name
or initial and last name, or address, or phone
number, in combination with a credit or debit
card number, and any required security code;
(iv) the toll-free contact telephone numbers
and addresses for the major credit reporting
agencies; and
(v) a toll-free telephone number and Internet
website address for the Commission whereby the
individual may obtain information regarding
identity theft.
(2) Substitute notification.--
(A) Circumstances giving rise to substitute
notification.--A person required to provide
notification to individuals under subsection (a)(1) may
provide substitute notification in lieu of the direct
notification required by paragraph (1) if the person
owns or possesses data in electronic form containing
personal information of fewer than 1,000 individuals
and such direct notification is not feasible due to--
(i) excessive cost to the person required to
provide such notification relative to the
resources of such person, as determined in
accordance with the regulations issued by the
Commission under paragraph (3)(A); or
(ii) lack of sufficient contact information
for the individual required to be notified.
(B) Form of substitute notification.--Such substitute
notification shall include--
(i) email notification to the extent that the
person has email addresses of individuals to
whom it is required to provide notification
under subsection (a)(1);
(ii) a conspicuous notice on the Internet
website of the person (if such person maintains
such a website); and
(iii) notification in print and to broadcast
media, including major media in metropolitan
and rural areas where the individuals whose
personal information was acquired reside.
(C) Content of substitute notice.--Each form of
substitute notice under this paragraph shall include--
(i) notice that individuals whose personal
information is included in the breach of
security are entitled to receive, at no cost to
the individuals, consumer credit reports on a
quarterly basis for a period of 2 years, or
credit monitoring or other service that enables
consumers to detect the misuse of their
personal information for a period of 2 years,
and instructions on requesting such reports or
service from the person, except when the only
information which has been the subject of the
security breach is the individual's first name
or initial and last name, or address, or phone
number, in combination with a credit or debit
card number, and any required security code;
and
(ii) a telephone number by which an
individual can, at no cost to such individual,
learn whether that individual's personal
information is included in the breach of
security.
(3) Regulations and guidance.--
(A) Regulations.--Not later than 1 year after the
date of enactment of this Act, the Commission shall, by
regulation under section 553 of title 5, United States
Code, establish criteria for determining circumstances
under which substitute notification may be provided
under paragraph (2), including criteria for determining
if notification under paragraph (1) is not feasible due
to excessive costs to the person required to provided
such notification relative to the resources of such
person. Such regulations may also identify other
circumstances where substitute notification would be
appropriate for any person, including circumstances
under which the cost of providing notification exceeds
the benefits to consumers.
(B) Guidance.--In addition, the Commission shall
provide and publish general guidance with respect to
compliance with this subsection. Such guidance shall
include--
(i) a description of written or email
notification that complies with the
requirements of paragraph (1); and
(ii) guidance on the content of substitute
notification under paragraph (2), including the
extent of notification to print and broadcast
media that complies with the requirements of
such paragraph.
(e) Other Obligations Following Breach.--
(1) In general.--A person required to provide notification
under subsection (a) shall, upon request of an individual whose
personal information was included in the breach of security,
provide or arrange for the provision of, to each such
individual and at no cost to such individual--
(A) consumer credit reports from at least one of the
major credit reporting agencies beginning not later
than 60 days following the individual's request and
continuing on a quarterly basis for a period of 2 years
thereafter; or
(B) a credit monitoring or other service that enables
consumers to detect the misuse of their personal
information, beginning not later than 60 days following
the individual's request and continuing for a period of
2 years.
(2) Limitation.--This subsection shall not apply if the only
personal information which has been the subject of the security
breach is the individual's first name or initial and last name,
or address, or phone number, in combination with a credit or
debit card number, and any required security code.
(3) Rulemaking.--As part of the Commission's rulemaking
described in subsection (d)(3), the Commission shall determine
the circumstances under which a person required to provide
notification under subsection (a)(1) shall provide or arrange
for the provision of free consumer credit reports or credit
monitoring or other service to affected individuals.
(f) Exemption.--
(1) General exemption.--A person shall be exempt from the
requirements under this section if, following a breach of
security, such person determines that there is no reasonable
risk of identity theft, fraud, or other unlawful conduct.
(2) Presumption.--
(A) In general.--If the data in electronic form
containing personal information is rendered unusable,
unreadable, or indecipherable through encryption or
other security technology or methodology (if the method
of encryption or such other technology or methodology
is generally accepted by experts in the information
security field), there shall be a presumption that no
reasonable risk of identity theft, fraud, or other
unlawful conduct exists following a breach of security
of such data. Any such presumption may be rebutted by
facts demonstrating that the encryption or other
security technologies or methodologies in a specific
case, have been or are reasonably likely to be
compromised.
(B) Methodologies or technologies.--Not later than 1
year after the date of the enactment of this Act and
biannually thereafter, the Commission shall issue rules
(pursuant to section 553 of title 5, United States
Code) or guidance to identify security methodologies or
technologies which render data in electronic form
unusable, unreadable, or indecipherable, that shall, if
applied to such data, establish a presumption that no
reasonable risk of identity theft, fraud, or other
unlawful conduct exists following a breach of security
of such data. Any such presumption may be rebutted by
facts demonstrating that any such methodology or
technology in a specific case has been or is reasonably
likely to be compromised. In issuing such rules or
guidance, the Commission shall consult with relevant
industries, consumer organizations, and data security
and identity theft prevention experts and established
standards setting bodies.
(3) FTC guidance.--Not later than 1 year after the date of
the enactment of this Act the Commission shall issue guidance
regarding the application of the exemption in paragraph (1).
(g) Website Notice of Federal Trade Commission.--If the Commission,
upon receiving notification of any breach of security that is reported
to the Commission under subsection (a)(2), finds that notification of
such a breach of security via the Commission's Internet website would
be in the public interest or for the protection of consumers, the
Commission shall place such a notice in a clear and conspicuous
location on its Internet website.
(h) FTC Study on Notification in Languages in Addition to English.--
Not later than 1 year after the date of enactment of this Act, the
Commission shall conduct a study on the practicality and cost
effectiveness of requiring the notification required by subsection
(d)(1) to be provided in a language in addition to English to
individuals known to speak only such other language.
(i) General Rulemaking Authority.--The Commission may promulgate
regulations necessary under section 553 of title 5, United States Code,
to effectively enforce the requirements of this section.
(j) Treatment of Persons Governed by Other Law.--A person who is in
compliance with any other Federal law that requires such person to
provide notification to individuals following a breach of security, and
that, taken as a whole, provides protections substantially similar to,
or greater than, those required under this section, as the Commission
shall determine by rule (under section 553 of title 5, United States
Code), shall be deemed to be in compliance with this section.
SEC. 4. APPLICATION AND ENFORCEMENT.
(a) General Application.--The requirements of sections 2 and 3 shall
only apply to those persons, partnerships, or corporations over which
the Commission has authority pursuant to section 5(a)(2) of the Federal
Trade Commission Act.
(b) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair and deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of commission.--The Commission shall enforce this
Act in the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all applicable terms
and provisions of the Federal Trade Commission Act (15 U.S.C.
41 et seq.) were incorporated into and made a part of this Act.
Any person who violates such regulations shall be subject to
the penalties and entitled to the privileges and immunities
provided in that Act.
(3) Limitation.--In promulgating rules under this Act, the
Commission shall not require the deployment or use of any
specific products or technologies, including any specific
computer software or hardware.
(c) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which the attorney general
of a State, or an official or agency of a State, has reason to
believe that an interest of the residents of that State has
been or is threatened or adversely affected by any person who
violates section 2 or 3 of this Act, the attorney general,
official, or agency of the State, as parens patriae, may bring
a civil action on behalf of the residents of the State in a
district court of the United States of appropriate
jurisdiction--
(A) to enjoin further violation of such section by
the defendant;
(B) to compel compliance with such section; or
(C) to obtain civil penalties in the amount
determined under paragraph (2).
(2) Civil penalties.--
(A) Calculation.--
(i) Treatment of violations of section 2.--
For purposes of paragraph (1)(C) with regard to
a violation of section 2, the amount determined
under this paragraph is the amount calculated
by multiplying the number of days that a person
is not in compliance with such section by an
amount not greater than $11,000.
(ii) Treatment of violations of section 3.--
For purposes of paragraph (1)(C) with regard to
a violation of section 3, the amount determined
under this paragraph is the amount calculated
by multiplying the number of violations of such
section by an amount not greater than $11,000.
Each failure to send notification as required
under section 3 to a resident of the State
shall be treated as a separate violation.
(B) Adjustment for inflation.--Beginning on the date
that the Consumer Price Index is first published by the
Bureau of Labor Statistics that is after 1 year after
the date of enactment of this Act, and each year
thereafter, the amounts specified in clauses (i) and
(ii) of subparagraph (A) shall be increased by the
percentage increase in the Consumer Price Index
published on that date from the Consumer Price Index
published the previous year.
(C) Maximum total liability.--Notwithstanding the
number of actions which may be brought against a person
under this subsection the maximum civil penalty for
which any person may be liable under this subsection
shall not exceed--
(i) $5,000,000 for each violation of section
2; and
(ii) $5,000,000 for all violations of section
3 resulting from a single breach of security.
(3) Intervention by the ftc.--
(A) Notice and intervention.--The State shall provide
prior written notice of any action under paragraph (1)
to the Commission and provide the Commission with a
copy of its complaint, except in any case in which such
prior notice is not feasible, in which case the State
shall serve such notice immediately upon instituting
such action. The Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on all
matters arising therein; and
(iii) to file petitions for appeal.
(B) Limitation on state action while federal action
is pending.--If the Commission has instituted a civil
action for violation of this Act, no State attorney
general, or official or agency of a State, may bring an
action under this subsection during the pendency of
that action against any defendant named in the
complaint of the Commission for any violation of this
Act alleged in the complaint.
(4) Construction.--For purposes of bringing any civil action
under paragraph (1), nothing in this Act shall be construed to
prevent an attorney general of a State from exercising the
powers conferred on the attorney general by the laws of that
State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(d) Affirmative Defense for a Violation of Section 3.--
(1) In general.--It shall be an affirmative defense to an
enforcement action brought under subsection (b), or a civil
action brought under subsection (c), based on a violation of
section 3, that all of the personal information contained in
the data in electronic form that was acquired or accessed as a
result of a breach of security of the defendant is public
record information that is lawfully made available to the
general public from Federal, State, or local government records
and was acquired by the defendant from such records.
(2) No effect on other requirements.--Nothing in this
subsection shall be construed to exempt any person from the
requirement to notify the Commission of a breach of security as
required under section 3(a).
SEC. 5. DEFINITIONS.
In this Act the following definitions apply:
(1) Breach of security.--The term ``breach of security''
means unauthorized access to or acquisition of data in
electronic form containing personal information.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(4) Encryption.--The term ``encryption'' means the protection
of data in electronic form in storage or in transit using an
encryption technology that has been adopted by an established
standards setting body which renders such data indecipherable
in the absence of associated cryptographic keys necessary to
enable decryption of such data. Such encryption must include
appropriate management and safeguards of such keys to protect
the integrity of the encryption.
(5) Identity theft.--The term ``identity theft'' means the
unauthorized use of another person's personal information for
the purpose of engaging in commercial transactions under the
name of such other person.
(6) Information broker.--The term ``information broker''--
(A) means a commercial entity whose business is to
collect, assemble, or maintain personal information
concerning individuals who are not current or former
customers of such entity in order to sell such
information or provide access to such information to
any nonaffiliated third party in exchange for
consideration, whether such collection, assembly, or
maintenance of personal information is performed by the
information broker directly, or by contract or
subcontract with any other entity; and
(B) does not include a commercial entity to the
extent that such entity processes information collected
by and received from a nonaffiliated third party
concerning individuals who are current or former
customers or employees of such third party to enable
such third party to (1) provide benefits for its
employees or (2) directly transact business with its
customers.
(7) Personal information.--
(A) Definition.--The term ``personal information''
means an individual's first name or initial and last
name, or address, or phone number, in combination with
any 1 or more of the following data elements for that
individual:
(i) Social Security number.
(ii) Driver's license number, passport
number, military identification number, or
other similar number issued on a government
document used to verify identity.
(iii) Financial account number, or credit or
debit card number, and any required security
code, access code, or password that is
necessary to permit access to an individual's
financial account.
(B) Modified definition by rulemaking.--The
Commission may, by rule promulgated under section 553
of title 5, United States Code, modify the definition
of ``personal information'' under subparagraph (A)--
(i) for the purpose of section 2 to the
extent that such modification will not
unreasonably impede interstate commerce, and
will accomplish the purposes of this Act; or
(ii) for the purpose of section 3, to the
extent that such modification is necessary to
accommodate changes in technology or practices,
will not unreasonably impede interstate
commerce, and will accomplish the purposes of
this Act.
(8) Public record information.--The term ``public record
information'' means information about an individual which has
been obtained originally from records of a Federal, State, or
local government entity that are available for public
inspection.
(9) Non-public information.--The term ``non-public
information'' means information about an individual that is of
a private nature and neither available to the general public
nor obtained from a public record.
(10) Service provider.--The term ``service provider'' means
an entity that provides to a user transmission, routing,
intermediate and transient storage, or connections to its
system or network, for electronic communications, between or
among points specified by such user of material of the user's
choosing, without modification to the content of the material
as sent or received . Any such entity shall be treated as a
service provider under this Act only to the extent that it is
engaged in the provision of such transmission, routing,
intermediate and transient storage or connections.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws.--This Act
supersedes any provision of a statute, regulation, or rule of a State
or political subdivision of a State, with respect to those entities
covered by the regulations issued pursuant to this Act, that
expressly--
(1) requires information security practices and treatment of
data containing personal information similar to any of those
required under section 2; and
(2) requires notification to individuals of a breach of
security resulting in unauthorized access to or acquisition of
data in electronic form containing personal information.
(b) Additional Preemption.--
(1) In general.--No person other than a person specified in
section 4(c) may bring a civil action under the laws of any
State if such action is premised in whole or in part upon the
defendant violating any provision of this Act.
(2) Protection of consumer protection laws.--This subsection
shall not be construed to limit the enforcement of any State
consumer protection law by an Attorney General of a State.
(c) Protection of Certain State Laws.--This Act shall not be
construed to preempt the applicability of--
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate to
acts of fraud.
(d) Preservation of FTC Authority.--Nothing in this Act may be
construed in any way to limit or affect the Commission's authority
under any other provision of law.
SEC. 7. EFFECTIVE DATE.
This Act shall take effect 1 year after the date of enactment of this
Act.
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Commission $1,000,000
for each of fiscal years 2010 through 2015 to carry out this Act.
Amend the title so as to read:
A bill to protect consumers by requiring reasonable
security policies and procedures to protect data containing
personal information, and to provide for nationwide notice in
the event of a security breach.
PURPOSE AND SUMMARY
H.R. 2221, the ``Data Accountability and Trust Act'', was
introduced on April 30, 2009, by Reps. Bobby L. Rush (D-IL),
Cliff Stearns (R-FL), Joe Barton (R-TX), George Radanovich (R-
CA), and Janice Schakowsky (D-IL). The goal of H.R. 2221 is to
both reduce the number of data breaches and provide new rights
to individuals whose personal information is compromised when a
breach occurs. The bill has two major requirements: (1) an
entity holding data containing personal information must adopt
reasonable and appropriate security measures to protect such
data; and (2) that same entity must notify affected consumers
in the event of a breach unless the entity determines there is
``no reasonable risk of identity theft, fraud, or other
unlawful conduct.'' In addition, the bill requires information
brokers to implement reasonable procedures that will ensure
data accuracy and provide consumers with access to information
and the ability to dispute inaccurate information in certain
circumstances.
BACKGROUND AND NEED FOR LEGISLATION
Data breaches can severely compromise the financial well-
being of individuals whose personal information is exploited to
commit identity theft or fraud. Despite increased publicity
surrounding high-profile data breaches, enforcement by the
Federal Trade Commission (FTC), and ongoing calls for better
data security from Congress and other governmental bodies, data
breaches continue at an alarming pace. According to the Privacy
Rights Clearinghouse, almost 340 million records containing
``sensitive personal information'' have been ``involved in
security breaches since January 2005.''\1\
---------------------------------------------------------------------------
\1\Privacy Rights Clearinghouse, A Chronology of Data Breaches
(online at www.privacyrights.org/ar/ChronDataBreaches.htm) (accessed
Oct. 6, 2009).
---------------------------------------------------------------------------
Data breaches have an impact on every sector of the
economy. High-profile data breaches have plagued financial
institutions, nationwide retailers, online merchants,
information brokers, credit card processors, healthcare
institutions, high-tech companies, research facilities, and
government agencies. The causes of these breaches range from
high-tech hacking and skimming to dumpster diving and simple
laptop theft.
Data breaches can result in substantial harm to consumers.
Personal information that is lost or compromised may be
exploited by criminals to commit identity theft, fraud, or
other unlawful conduct. According to the FTC's most recent
identity theft survey, approximately 8.3 million American
adults--3.7% of all American adults--discovered that they were
victims of identity theft in 2005.\2\ By some estimates,
identity theft is the fastest growing type of fraud in the
United States.\3\ Moreover, although identity theft often is
associated with financial transactions, it also can take place
in other contexts. For example, thieves can steal identities to
gain employment, immigrate into this country, obtain medical
care, apply for benefits, and evade law enforcement.
---------------------------------------------------------------------------
\2\See Federal Trade Commission, Identity Theft Survey Report,
prepared by Synovate, at 3 (2007) www.ftc.gov/os/2007/11/
SynovateFinalReportIDTheft2006.pdf.
\3\ Congressional Research Service, Identity Theft: Trends and
Issues, at 1 (Aug. 2009) (CRS-R40599).
---------------------------------------------------------------------------
The best way to prevent identity theft and other harm is
for individuals and businesses to properly secure personal
information so that it does not fall into the wrong hands in
the first place. Currently, several laws address data security
requirements for narrow categories of information or specific
sectors of the marketplace. These laws include the Gramm-Leach-
Bliley Act (``GLB Act'') Safeguards Rule,\4\ which contains
data security requirements for financial institutions and the
Fair Credit Reporting Act (``FCRA'') Disposal Rule,\5\ which
imposes safe disposal obligations on entities that maintain
consumer report information. In addition, FTC has used its
enforcement authority under the FTC Act\6\ to bring actions
against companies that have made misleading claims about data
security procedures or failed to employ reasonable security
measures in circumstances that caused substantial injury. There
is no comprehensive federal law, however, that requires all
companies that hold consumer personal information to implement
reasonable measures to protect that data.
---------------------------------------------------------------------------
\4\16 CFR Part 314, implementing 15 U.S.C. section 6801(b).
\5\16 CFR Part 682, implementing 15 U.S.C. section 1681w.
\6\15 U.S.C. section 45(a).
---------------------------------------------------------------------------
Also, there is no federal law that requires companies that
experience a data breach to provide notice to those consumers
whose personal information was compromised. Consumers need to
know when their sensitive information has been compromised in
order to detect and prevent identity theft, fraud, or other
unlawful conduct. Timely notice allows consumers to take
concrete steps to prevent identity theft such as cancelling
accounts or requesting new account numbers, monitoring accounts
for unusual activity, and placing alerts on credit reports.
Victims of identity theft can spend countless hours attempting
to fix the myriad problems that can result from the misuse of
personal information. Notice, as well as the provision of
services to help consumers monitor their accounts for
suspicious activity, would aid consumers with the arduous task
of preventing and/or recovering from identity theft.
H.R. 2221 is a comprehensive information security regime
that will require all companies subject to FTC jurisdiction to
implement an information security program to safeguard personal
information. This program is applicable to personal information
stored electronically and in paper records and would require
companies to engage in an ongoing process of evaluating risks
and taking reasonable measures to address those risks.
H.R. 2221 also requires companies that experience a data
breach to provide consumers with timely notice of the breach so
that consumers can take steps to prevent harm. The bill creates
uniform, nationwide standards for breach notification for all
entities subject to FTC jurisdiction. The bill further requires
companies to provide individuals with free monitoring services
to detect the misuse of their personal information following a
breach.
In addition to the information security and breach
notification requirements that apply to all entities subject to
FTC jurisdiction, H.R. 2221 includes additional requirements
for information brokers, those companies that are in the
business of collecting personal information for the purpose of
selling it to third parties.
LEGISLATIVE HISTORY
The Data Accountability and Trust Act originally was
introduced as H.R. 4127 in the 109th Congress on October 25,
2005, by Rep. Stearns, who was then Chairman of the
Subcommittee on Commerce, Trade, and Consumer Protection. In
the 109th Congress, the Subcommittee on Commerce, Trade, and
Consumer Protection held two oversight hearings on data
breaches, data security, and information brokers, as well as a
legislative hearing on a discussion draft of H.R. 4127. The
Subcommittee considered H.R. 4127 in markup session and
forwarded the bill, amended, to the full Committee on November
3, 2005. On March 29, 2006, the Committee on Energy and
Commerce met in open markup session and ordered H.R. 4127
reported to the House, as amended, by a recorded vote of 41
yeas and 0 nays.
In the 110th Congress, H.R. 958 was introduced by Rep.
Bobby L. Rush, Chairman of the Subcommittee on Commerce, Trade,
and Consumer Protection, with the same language of the bill
that passed out of the Committee in the previous Congress.
COMMITTEE CONSIDERATION
In the 111th Congress, Subcommittee Chairman Rush, on
behalf of himself, Reps. Stearns, Barton, Radanovich, and
Schakowsky, reintroduced the bill as H.R. 2221 on April 30,
2009. The bill was referred to the Subcommittee on Commerce,
Trade, and Consumer Protection on May 1, 2009. The Subcommittee
held a legislative hearing on H.R. 2221 on May 5, 2009.
Testimony was heard from witnesses representing the Bureau of
Consumer Protection of the Federal Trade Commission; the Center
for Democracy and Technology; the Business Software Alliance;
the Distributed Computing Data Industry Association; the
Electronic Privacy Information Center; Tiversa, Inc.; and the
Center for the Study of Digital Property of the Progress &
Freedom Foundation.
On June 3, 2009, the Subcommittee met in open markup
session to consider H.R. 2221. The Subcommittee subsequently
forwarded H.R. 2221, amended, to the full Committee by a voice
vote.
The Committee on Energy and Commerce met in open markup
session on September 30, 2009, and considered H.R. 2221 as
forwarded by the Subcommittee on June 3, 2009. The Committee
adopted a manager's amendment to the bill by a voice vote. The
full Committee then ordered H.R. 2221 favorably reported to the
House, amended, by a voice vote.
COMMITTEE VOTES
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto. A motion by Mr. Waxman to order H.R. 2221 favorably
reported to the House, amended, was agreed to by a voice vote.
There were no recorded votes taken during consideration and
passage of H.R. 2221.
STATEMENT OF COMMITTEE OVERSIGHT FINDINGS AND RECOMMENDATIONS
In compliance with clause 3(c)(1) of rule XIII and clause
(2)(b)(1) of rule X of the Rules of the House of
Representatives, the oversight findings and recommendations of
the Committee are reflected in the descriptive portions of this
report.
NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES
Pursuant to clause 3(c)(2) of rule XIII of the Rules of the
House of Representatives, the Committee adopts as its own the
estimate of budget authority and revenues regarding H.R. 2221
prepared by the Director of the Congressional Budget Office
pursuant to section 402 of the Congressional Budget Act of
1974. The Committee finds that H.R. 2221 would result in no new
or increased entitlement authority, or tax expenditures or
revenues.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the performance goals and
objectives of the Committee are reflected in the descriptive
portions of this report.
CONSTITUTIONAL AUTHORITY STATEMENT
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the Committee must include a
statement citing the specific powers granted to Congress to
enact the law proposed by H.R. 2221. Article I, section 8,
clauses 3 and 18 of the Constitution of the United States
grants the Congress the power to enact this law.
EARMARKS AND TAX AND TARIFF BENEFITS
H.R. 2221 does not contain any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of rule XXI of the Rules of the House of
Representatives.
FEDERAL ADVISORY COMMITTEE STATEMENT
The Committee finds that the legislation does not establish
or authorize the establishment of an advisory committee within
the definition of 5 U.S.C. App., section 5(b) of the Federal
Advisory Committee Act.
APPLICABILITY OF LAW TO THE LEGISLATIVE BRANCH
Section 102(b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch where the bill relates to terms and conditions of
employment or access to public services and accommodations.
H.R. 2221 requires commercial entities subject to Federal
Trade Commission jurisdiction that own or posses personal
information to adopt reasonable and appropriate security
measures to protect such data and, in the event such
information is breached, that same entity must notify affected
consumers of the breach of security. This bill does not relate
to employment or access to public services and accommodations
in the legislative branch.
FEDERAL MANDATES STATEMENT
Section 423 of the Congressional Budget and Impoundment
Control Act of 1974 (as amended by section 101(a)(2) of the
Unfunded Mandates Reform Act, P.L. 104-4) requires a statement
on whether the provisions of the report include unfunded
mandates. In compliance with this requirement the Committee
adopts as its own the estimates of federal mandates prepared by
the Director of the Congressional Budget Office.
COMMITTEE COST ESTIMATE
Pursuant to clause 3(d)(2) of rule XIII of the Rules of the
House of Representatives, the Committee adopts as its own the
cost estimate of H.R. 2221 prepared by the Director of the
Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act of 1974.
CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
With respect to the requirements of clause 3(c)(2) of rule
XIII of the Rules of the House of Representatives and section
308(a) of the Congressional Budget Act of 1974 and with respect
to requirements of clause (3)(c)(3) of rule XIII of the Rules
of the House of Representatives and section 402 of the
Congressional Budget Act of 1974, the Committee has received
the following cost estimate for H.R. 2221 from the Director of
Congressional Budget Office:
December 7, 2009.
Hon. Henry A. Waxman,
Chairman, Committee on Energy and Commerce,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 2221, the Data
Accountability and Trust Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Susan Willie.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
H.R. 2221--Data Accountability and Trust Act
Summary: H.R. 2221 would establish new requirements to
protect the personal information of individuals that is
collected and maintained by commercial entities. The bill would
require companies to adopt procedures to protect personal
information from improper access, anticipate and mitigate
potential vulnerabilities in security systems intended to
prevent improper access, and specify methods for disposing of
data that is held in electronic and nonelectronic form. H.R.
2221 would require data brokers (entities that collect and
maintain personal information for sale to others) to submit
their data security policies to the Federal Trade Commission
(FTC) and to establish procedures that consumers may follow to
review and, if necessary, dispute the accuracy of their
personal data. Finally, the bill would require entities covered
by the bill to notify individuals when their personal
information has been improperly accessed as the result of a
breach of security. H.R. 2221 would require the FTC to develop
regulations to implement and enforce the new requirements.
Assuming appropriation of the authorized amounts, CBO
estimates that implementing H.R. 2221 would cost $5 million
over the 2010-2014 period to develop and enforce the new
regulations. Enacting H.R. 2221 could increase federal revenues
from additional civil penalties assessed for violations of laws
related to information security. CBO estimates that any
additional revenues would not be significant because of the
relatively small number of cases expected to be involved.
Enacting H.R. 2221 would not affect direct spending.
H.R. 2221 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA), but CBO estimates that
those mandates would impose no costs on state, local, or tribal
governments.
H.R. 2221 would impose several private-sector mandates as
defined in UMRA by requiring certain entities engaged in
interstate commerce to establish policies and procedures to
keep personal information secure and to notify affected
individuals in the event of a security breach. The bill also
would impose new requirements on information brokers related to
data collection and accuracy.
Much of the industry already complies in large part with
the many of the bill's requirements. However, some of the
requirements in the bill would impose new security standards
and notification procedures on millions of entities in the
private sector. Based on this information, CBO estimates that
the aggregate direct cost of the mandates in the bill would
exceed the annual threshold established in UMRA for private-
sector mandates ($139 million in 2009, adjusted annually for
inflation) in at least one of the first five years the mandates
are in effect.
Estimated cost to the Federal Government: The estimated
budgetary impact of H.R. 2221 is shown in the following table.
The costs of this legislation fall within budget function 370
(commerce and housing credit).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
--------------------------------------------------
2010 2011 2012 2013 2014 2010-2014
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Authorization Level.......................................... 1 1 1 1 1 5
Estimated Outlays............................................ 1 1 1 1 1 5
----------------------------------------------------------------------------------------------------------------
Basis of estimate: For this estimate, CBO assumes that the
bill will be enacted early in calendar year 2010 and that the
$1 million authorized to be appropriated for each of fiscal
years 2010 through 2015 will be provided for each year. CBO
estimates that implementing H.R. 2221 would cost $5 million
over the 2010-2014 period for the FTC to issue regulations and
enforce the bill's provisions. Enacting the legislation would
not have a significant effect on revenues and would not affect
direct spending.
Estimated impact on state, local, and tribal governments:
H.R. 2221 contains intergovernmental mandates as defined in
UMRA. It would preempt state and local laws that require
entities that experience security breaches to notify persons
whose information is comprised. The bill also would preempt
state and local laws that require entities to implement
security practices for handling personal information. CBO
estimates that because the preemptions would only limit the
application of state law, the mandate would impose no costs on
state, local, or tribal governments.
Estimated impact on the private sector: H.R. 2221 would
impose several private-sector mandates as defined in UMRA. It
would require entities engaged in interstate commerce that own
or possess personal information to implement policies and
procedures to keep personal information secure, and to notify
individuals when their personal information has been
compromised as a result of a security breach. The bill also
would require information brokers to establish procedures to
verify the accuracy of the data they maintain on individuals
and allow those individuals to review and correct their files.
Much of the industry already complies in large part with
the many of the bill's requirements. However, this legislation
would impose new information security requirements and
notification procedures and practices on millions of private-
sector entities. It also would broaden the definition of
``personal information'' and expand the circumstances under
which businesses must notify individuals of a breach of their
information as compared to current law. Based on information
from the FTC and industry sources, CBO estimates that the
aggregate cost of the mandates in the bill would exceed the
annual threshold established in UMRA for private-sector
mandates ($139 million in 2009, adjusted annually for
inflation) in at least one of the first five years that the
mandates are in effect.
Requirements for information security
Section 2 of the bill would require certain entities that
own or possess personal information, that are engaged in
interstate commerce, or that contract a third party to maintain
such data, to establish and implement information security
policies and procedures in compliance with regulations to be
set by the FTC. Personal information, as defined in the bill,
is an individual's first name or initial and last name, or
address, or phone number, in combination with any one or more
of the following: the individual's social security number,
driver's license number, passport number or similar
identification number issued on a government document, or a
financial account number or credit card number and any security
or access code needed to access the account.
Covered entities would have to implement a security policy
with respect to the use, sale, dissemination, and maintenance
of data and conduct periodic vulnerability testing on their
security programs. Additionally, those entities would have to
identify an officer responsible for the oversight of the
information security. Entities also would have to implement a
process for disposing of obsolete electronic and non-electronic
data containing personal information. Some businesses could be
determined by the FTC to be in compliance with the requirements
of section 2 if they are currently in compliance similar
federal regulations to maintain standards and safeguards for
information security.
The cost of compliance for the data privacy and security
requirements would depend on the rules to be established by the
FTC, the size of the entity, and the amount of personal
information maintained by the entity. Most businesses are
already subject to state or other federal laws regulating
security policies, and it is the current practice of many
businesses to use security measures to protect sensitive data.
However, state laws generally use a more narrow definition of
personal information than would apply under the bill. The
bill's requirements would apply to varying degrees to millions
businesses who own, use, or maintain personal information. Even
though the incremental cost per entity of implementing the
information security requirements in the bill could be small,
the aggregate cost of compliance could be substantial.
Notification of information security breach
Section 3 would require a covered entity that owns or
possesses data in electronic form containing personal
information to notify individuals and the FTC following a
security breach in which such individuals' personal information
was accessed or acquired by an unauthorized person. The bill
also includes special notification requirements for third party
agents and internet service providers.
Notification would have to be written or, in some
circumstances, could be sent via email. The bill allows for
substitute notification, through postings on the entity's Web
site and in print and broadcast media, when the person
experiencing the breach owns or possesses the data of fewer
than 1,000 individuals, or when direct notification is not
feasible due to excessive cost or if the contact information
for the individuals is unavailable. Both forms of notification
would have to include a description of the information accessed
or acquired, certain relevant telephone contact numbers, and
notice of the right to receive free credit monitoring services
or quarterly credit reports for two years following the breach.
Entities would have to provide credit reports or credit
monitoring services to individuals affected by a breach at no
cost to the individual, if requested.
If the breached personal information consists of an
individual's name, address, or phone number in combination with
a credit or debit card number and the required security code,
under the legislation, breach notification would not be
required. The bill also would allow an entity to be exempt from
notification requirements, if it determines that there is no
reasonable risk of identity theft, fraud, or other unlawful
conduct. An allowable presumption that no risk of identity
theft or fraud exists includes encryption or similar
modification of data so that it is rendered unreadable.
Should entities choose to reduce the likelihood of a data
breach by encrypting personal information, the total cost could
be substantial. Data encryption software can cost between $150
and $600 or more depending on the type of system used and the
amount of data. If even a small portion of the millions of
entities affected by this bill were to purchase this software,
those costs could exceed the annual threshold.
In 2006, more than 17 million people's social security
numbers were stolen or accessed in security breaches, none of
which was encrypted. Since 2006, the number of individuals who
have had their information accessed illegally has risen. This
legislation would elevate other personally identifying
information (such as driver's license numbers and passport IDs)
to the level of a social security number for the purposes of
data breach notification. Therefore, the number of individuals
who would have to be notified about a breach could increase
under the bill.
The majority of states already have data breach security
laws in place; however those laws do not include provisions for
mandatory credit monitoring services. The cost of bulk
purchases of the credit monitoring services is approximately
$60 per person, per year, according to credit industry
professionals. Historically, there has been an acceptance rate
of such services of about 6 percent to 8 percent. If the large
number of security breaches continues, in spite of the
requirements for information security programs and encryption,
the cost of the notification requirements could be significant.
Special requirements for information brokers
Security Systems Audit. Information Brokers (companies
whose business is to collect, assemble, maintain and sell
information about individuals who are not their customers)
would be required to submit their information-security policies
to the FTC for review upon request or accompanying notification
of breach of security. As a part of their information security
requirements, following a breach in security, information
brokers would be required to allow the FTC to conduct a post-
breach audit of their security systems, or to have an
independent auditor brought in to review the system.
According to industry experts, the cost of a security audit
can range from $10,000 to more than $100,000 depending on the
thoroughness of the audit and the type of systems being tested.
Only 26 audits were required by the FTC between 2001 and 2009.
However, the scope of what constitutes a breach could be
broadened under the bill, so the number of audits may increase
upon enactment of this legislation.
Maintaining the Accuracy of Information. Information
brokers would also be required to establish accuracy standards
for the personal information they broker. The bill would
require information brokers annually to provide individuals
with their personal information at no cost. The individual
would then have to be given the right to dispute any
information held by the broker. If that information is found to
be incorrect, information brokers who do not use their data for
marketing purposes would be obliged to correct the inaccuracy
and, in certain cases, to provide the individual with the
source of the data. Information brokers who do use data for
marketing purposes would be required to allow individuals to
decide how their information should be used.
The cost of providing records upon request depends on the
costs of gathering and distributing the information to
individuals and the number of individuals requesting their
information. According to information from industry sources
some information brokers already correct information based on
requests from individuals. Industry experts also indicate that
the average cost to large information brokers that currently
provide this service is about $8.50 each time a record is
disclosed and information is disputed by an individual.
However, the cost per record may be higher for information
brokers who do not currently have systems in place to handle
such disputes. Some evidence exists that many individuals'
personal information housed at data brokerage firms is in part
incorrect.
There were 12 million disputes that lead to investigations
in 2006 and providing the means to access and dispute personal
information annually could reasonably lead to an increase in
the number of requests. The cost would be the incremental cost
incurred by brokers as a consequence of an increase in dispute
requests. According to industry leaders, there were around 30
data aggregators and 600 to 700 information brokers nationwide
in 2006. Those information brokers that do not currently have
the capability to resolve disputes would incur a significant
cost for establishing the means to comply with this provision.
The bill would also require information brokers to maintain
an audit log of internal and external access to, or
transmission of, any data in electronic form containing
personal information. The current industry standard on data
security has not reached that level. According to industry
experts, information on a particular individual can be
collected from several places and, for large companies, can be
accessed by thousands of people from several different
locations. The ability to trace each transaction of data
containing personal information would be a significant
enhancement of data management hardware and software for the
majority of business entities. The aggregate cost of
implementing such changes could be substantial.
Previous CBO estimate: On December 2, 2009, CBO transmitted
a cost estimate for S. 1490, the Personal Data Privacy and
security Act of 2009, as ordered reported by the Senate
Committee on the Judiciary on November 5, 2009. H.R. 2221 and
S. 1490 are concerned with the security of sensitive personal
information and notification requirements in the event such
information is disclosed to unauthorized entities. CBO
estimates that implementing the provisions of S. 1490 that
would require agencies to assess the security of sensitive
personal information held by the government and to report to
the Congress on those assessments would cost $25 million over
the 2010-2014 period.
CBO determined that both H.R. 2221 and S. 1490 contain
intergovernmental mandates, that would not exceed the threshold
established in UMRA ($69 million in 2009, adjusted for
inflation). In addition, CBO determined that both bills contain
private-sector mandates that would exceed the annual threshold
established in UMRA for private-sector mandates ($139 million
in 2009, adjusted annually for inflation).
Estimate prepared by: Federal Costs: Susan Willie; Impact
on State, Local, and Tribal Governments: Elizabeth Cove
Delisle; Impact on the Private Sector: Marin Randall.
Estimate approved by: Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short title
Section 1 provides that the short title of H.R. 2221 is the
``Data Accountability and Trust Act''.
Section 2. Requirements for information security
Section 2(a)(1) directs the Federal Trade Commission to
promulgate rules requiring persons that own or possess
``personal information'' to implement security policies and
procedures to safeguard that information. This requirement
applies to both electronic data and paper records containing
personal information. In implementing the regulations under
this section, H.R. 2221 directs the FTC to take into
consideration: (1) the size of, and the nature, scope, and
complexity of the activities engaged in by such persons; (2)
the current state of the art in administrative, technical, and
physical safeguards for protecting personal information; and
(3) the cost of implementing such safeguards. The Committee
intends that the consideration of these factors by the FTC
result in reasonable procedures that are flexible, that may be
implemented by different business models, and that can
accommodate changes in technology and evolving best practices.
Section 2(a)(2) sets forth specific requirements for the
information security policies that are to be determined by the
FTC. For example, the regulations shall require each person to
develop a security policy that addresses, at a minimum, the
collection, use, sale, other dissemination, and maintenance of
paper and electronic personal information. FTC regulations
shall require each person to evaluate risks associated with
different methods and points of collection for personal
information, including the use of terminals or devices to swipe
credit and debit cards to purchase goods at unattended
locations such as vending machines and fuel pumps.
Section 2(a)(3) requires the FTC to conduct a rulemaking to
determine which other federal information security statutes or
rules provide protections substantially similar to, or greater
than, those required under section 2(a). Any person who is in
compliance with such a similar law shall be deemed to be in
compliance with section 2(a) and the FTC's implementing
regulations. The FTC should consider, for example, whether the
information security standards promulgated pursuant to the
Gramm-Leach-Bliley Act and the Health Insurance Portability and
Accountability Act meet this threshold. Although all persons
subject to H.R. 2221 must adequately protect personal
information, the Committee also seeks to avoid imposing
duplicative, inconsistent, or overlapping data security
regulations on a person subject to section 2(a) of H.R. 2221.
Section 2(b) imposes special requirements on information
brokers. Information brokers, who may collect vast amounts of
personal information, provide a wide array of beneficial
services to businesses and government entities. Many of the
data collection activities of information brokers, however, are
largely unregulated.\7\ The high-profile data breaches at
information brokers in 2005, which sparked the initial call for
this legislation, revealed the problems with the significant
gaps in regulation.\8\
---------------------------------------------------------------------------
\7\See Congressional Research Service, Data Brokers: Background and
Industry Overview, at 1 (May 2007) (CRS-RS22137).
\8\House Committee on Energy and Commerce, Data Accountability and
Trust Act (DATA), 109th Cong., at 10 (2006) (H. Rept. 109-453, Part 1).
---------------------------------------------------------------------------
The distinction between information brokers and most other
commercial entities is the amount of information collected,
analyzed, mined, and sold, as well as the lack of transparency
to consumers. Data brokers collect information from various
public and private sources and use it for a wide variety of
purposes. This includes the creation of marketing databases
that, for the largest brokers, can be used to analyze hundreds
of data elements about nearly every American. In addition,
unlike retailers or banks that have direct relationships with
the consumers about whom they collect information, consumers
have no relationship with information brokers and may not be
aware that their profiles are compiled and sold. For those
consumers who are concerned about their privacy and personal
information, it is difficult, if not impossible, to discover
who has what information about them.
Section 2(b)(1) directs the FTC to promulgate regulations
that require information brokers to submit their information
security policies to the FTC any time they are required to
notify FTC of a breach of security under section 3. The FTC
also may request that an information broker submit such
policies to the FTC at any time. Section 2(b)(2) provides the
FTC with the ability to conduct audits of the information
security practices of an information broker that provides
notice pursuant to section 3, or requires such information
broker to conduct independent audits of its security practices.
Section 2(b)(3) imposes specific requirements concerning
accuracy, access, and dispute resolution procedures for
information brokers. Section 2(b)(3)(A) requires that an
information broker establish reasonable procedures to assure
the maximum possible accuracy of the personal information it
collects, assembles, or maintains, and any other information it
collects, assembles or maintains that specifically identifies
an individual. This provision is not limited to personal
information as defined in section 5, but expressly covers ``any
other information it collects, assembles or maintains that
specifically identifies an individual.'' Information, however,
which merely identifies an individual's name or address is
excluded. This exclusion could include a marketing or mailing
list. In addition, section 2(b)(3)(A), which requires
``reasonable procedures'' to assure information accuracy, does
not require that accuracy be absolutely proven or, for example,
that an information broker verify the accuracy of information
obtained from public records. Moreover, clause (ii) provides a
limited exception from the accuracy requirements for fraud
databases.
Section 2(b)(3)(B)(i) requires information brokers to
provide consumers with the ability to access information and
dispute the accuracy of that information. As with the accuracy
requirements in section 2(b)(3)(A), this provision is not
limited to personal information, but includes any other
information maintained by the information broker that
specifically identifies an individual, other than information
that merely identifies an individual's name or address. The
information broker is required to offer access to the
information once a year at no cost to the individual.
Section 2(b)(3)(B)(ii) sets forth the procedures that
permit an individual to dispute the accuracy of information
maintained by an information broker and the actions an
information broker must take in response to such a dispute.
Upon receiving a consumer request under clause (ii), an
information broker must verify the identity of the requesting
individual to prevent both fraudulent access to information and
the fraudulent alteration of information, which could
compromise the integrity of the data and result in harm
Section 2(b)(3)(B)(iii) sets forth alternate procedures the
information brokers may use regarding certain marketing
information. Specifically, clause (iii) provides that in
accordance with regulations issued by the FTC, if information
is used, shared, or sold for marketing purposes, the
information broker may, in lieu of complying with the access
and dispute requirements of clause (ii), provide all
individuals whose information it maintains with a reasonable
means of expressing a preference not to have his or her
information used for marketing. If the individual expresses
that preference, the information broker may not use, share, or
sell the individual's information for marketing purposes.
Section 2(b)(3)(B)(iv) provides limitations to the access
rights under clause (ii) and website notice requirements under
clause (i). Although an information broker must provide
conspicuous notice on its website, website notice does not
apply to those specific circumstances in which an information
broker may limit access to information. Databases that are used
to verify an individual's identity for antifraud purposes
provide significant benefits to law enforcement, business, and
consumers, and access to such databases could undermine the
usefulness of the data as a tool against fraud. Pursuant to
clause (v), the FTC may implement rules on the scope of the
limitations in clause (iv) and add additional circumstances in
which an information broker may limit access to information.
Section 2(b)(3)(C) provides that if an information broker
is in compliance with the relevant provisions of the Fair
Credit Reporting Act (FCRA) for FCRA-covered information, the
information broker shall be deemed to be in compliance with
paragraph (3) with respect to that information. Thus, the
information broker will not need to comply with the accuracy,
access, and dispute resolution provisions of this Act. This
subparagraph reflects the Committee's intent to avoid the
imposition of duplicative, inconsistent, or overlapping
regulations on an information broker subject to section 2(b) of
H.R. 2221.
Section 2(b)(4) requires the FTC to promulgate regulations
requiring information brokers to establish measures that will
allow information brokers to keep track of who obtains access
to personal information, such as the maintenance of
chronological records or logs. Section 2(b)(5) prohibits
information brokers from obtaining personal information or any
other information relating to a person by pretexting--making
false statements to any person for the purpose of obtaining
information. It also prohibits an information broker from
soliciting another to pretext for information.
Section 2(c) provides a limited exception for certain
activities by service providers as that term is defined in
section 5(10). Specifically, section 2(c) provides that nothing
in section 2 applies to a service provider that is merely
serving as the conduit for the transmission (routing or
transient storage) of information. In this situation, the
entity transmitting the information, the service provider, is
neither the sender nor the intended recipient, did not modify
the data in any way, and does not treat personal information
being transmitted any differently from any other data sent over
its pipes. It is the intent of the Committee that this limited
exemption only applies to these specific activities where the
service provider is merely serving as the conduit for the
transmission of information. To the extent a service provider
stores electronic personal information outside the provision of
transmission or routing services, initiates or is party to a
transmission of personal information, maintains paper records,
or otherwise owns or possesses personal information, a service
provider must comply with the requirements of section 2, unless
otherwise exempt from the requirements of this bill.
Section 3. Notification of information security breach
Section 3(a) requires any person engaged in interstate
commerce that owns or possesses data in electronic form to
notify, following the discovery of a breach of security, the
FTC and each individual whose personal information was acquired
or accessed as a result of the breach. Unlike section 2,
section 3 only applies to data in electronic form.
Section 3(b)(1) limits the breach notification obligations
of a third party agent who, pursuant to a contractual
relationship, is storing or processing personal information on
behalf of another person who owns or possesses such data. In
the event of a breach of security, the third party agent must
provide notice of the breach to the person who owns or
possesses the data. The third party agent must provide notice
as soon as reasonably possible and without delay. Upon
receiving such notice, the person who contracted with the third
party agent and owns or possesses the data must then provide
notice to consumers and the FTC pursuant to section 3(a).
Section 3(b)(1) should not inhibit or supersede the parties'
ability to contract for responsibility in the event of a data
breach, therefore, a third party agent's duty is to notify only
the owner of the data in the event of a breach, and not the
owner's customers or consumers. Notice of a breach from both a
third party agent and the owner of the data would be
duplicative and may cause confusion for a consumer who neither
recognizes nor has a direct relationship with the third party
agent.
Section 3(b)(2) is a limited exception for service
providers when acting solely as a conduit of personal
information that is owned or possessed by another person.
Section 3(b)(2) provides that if a service provider becomes
aware of a breach of security of personal information that is
owned or possessed by another person who uses the service
provider's system or network for the purpose of transmitting,
routing, or providing intermediate or transient storage of such
data, the service provider only is required to notify the
person who initiated the connection or transmission. Notice is
required only in those cases where such person reasonably can
be identified. Upon receiving notification from a service
provider, such person must provide the notice required under
subsection (a). Thus, section 3(b)(2) recognizes that in many
cases a breach of security, during the course of transmission
of information, may not always be discovered and that even when
a breach is discovered, a service provider may not always be
able to identify the nature of the data being transmitted or
the identity of the sender of the information. To the extent a
service provider otherwise experiences a breach of security,
such service provider must comply with all the requirements of
section 3.
Section 3(c) provides that, subject to paragraph (2),
notice must be provided not later than 60 days following the
discovery of the breach unless it can be shown that providing
notice within 60 days is not feasible due to extraordinary
circumstances necessary to prevent further breach or
unauthorized disclosures and reasonably restore the integrity
of the data system. In those circumstances, notice shall be
provided as promptly as possible and the person providing
notice shall have the burden of proving that the extraordinary
circumstances warranted the delay. Paragraph (2) provides for a
delay of notification for law enforcement or national security
purposes upon receipt of a written request from a law
enforcement or national security agency.
Section 3(d)(1) provides for the method and content of
notification. Section 3(d)(2) sets forth the circumstances
under which a person may provide substitute notification in
lieu of direct notification required under section 3(d)(1).
This provision recognizes that small businesses may not have
the resources or the ability to comply with the direct
notification requirements.
Section 3(d)(3) requires the FTC to issue regulations
concerning substitute notification. As part of the regulations,
the FTC may identify other circumstances where substitute
notification would be appropriate for any person, regardless of
size or the amount of personal information held by that person,
including circumstances under which the cost of providing
notification exceeds the benefits to consumers.
Section 3(e) requires a person that provides notice to
individuals under subsection (a) to provide or arrange for the
provision of consumer credit reports, a credit monitoring
service, or other service that enables consumers to detect the
misuse of their personal information. An individual shall
receive these services upon request, at no cost to the
individual, and the services must begin not later than 60 days
following the request and continue for a period of 2 years
thereafter. This provision recognizes that there are a variety
of products and services available that may help consumers
following a breach of security and provide effective protection
for consumers from the risks of identity theft, fraud, or other
unlawful conduct. The requirement is limited to providing
affected individuals one service, not multiple services. The
Committee recognizes, however, that some services available in
the marketplace may provide only minimal, if any, benefit to
consumers, or may provide benefits in limited circumstances. To
address the concern that a person providing notice would
provide the least expensive service regardless of its efficacy
or benefit to consumers, section 3(e)(3) directs the FTC to
determine, through rulemaking, the circumstances under which a
person must provide consumer credit reports, credit monitoring,
or other service.
Section 3(f) provides an exemption from the requirements of
section 3 under limited circumstances. Pursuant to paragraph
(1), a person will not be required to provide notice if
following a breach of security a person determines that there
is no reasonable risk of identity theft, fraud, or other
unlawful conduct. The Committee expects that these
determinations will require a fact-specific analysis of a
particular incident that will take into account the types of
information that have been compromised, the cause of the
breach, the identity of the party who may have accessed or
acquired the information (if known), the usability of the
compromised information, and other factors.
Section 3(f)(2)(A) establishes a presumption that there is
no reasonable risk of identity theft, fraud, or other unlawful
conduct in a particular breach of security if the personal
information that was the subject of the breach is unusable,
unreadable, or indecipherable to an unauthorized third party.
The method of rendering information unusable, unreadable, or
indecipherable must be generally accepted by experts in the
information security field. As of the date of this report,
December 2009, encryption is one such method. However, while
the statute recognizes encryption as a generally accepted
method, it should not be interpreted as to require the use of
``end to end'' encryption. The presumption, of no reasonable
risk of identity theft, fraud, or other unlawful conduct, may
be rebutted by facts demonstrating that in a particular case
the security technologies or methodologies have been, or are
reasonably likely to be compromised.
Section 3(f)(2)(B) requires the FTC to issue rules or
guidance identifying security methodologies or technologies
which render data unusable, unreadable, or indecipherable for
the purpose of establishing the rebuttable presumption. FTC
rules or guidance must be issued one year after the enactment
of H.R. 2221 and biannually thereafter. This biannual
requirement will ensure that FTC guidance remains relevant, up-
to-date, and reflects changes in technology and methodologies
over time. Because certain technologies and methodologies will
likely become outdated or no longer considered to be an
effective information security tool by experts in the
information security field, the FTC will update its guidance or
regulations to reflect that fact. The FTC could, at any time
through this rulemaking process, determine that encryption or
any other technology or methodology previously identified in
FTC guidance no longer receives a presumption. Importantly, in
issuing these rules or guidance, the FTC is required to consult
with relevant industries, consumer organizations, data security
experts, identity theft prevention experts, and established
standard setting bodies.
By establishing this rebuttable presumption, the Committee
does not intend to deem any technology as the only, preferred
or most effective method or technology for securing personal
information. To the contrary, the provision expressly
recognizes that there may be many technologies and
methodologies that render data unusable, unreadable, or
indecipherable for the purpose of establishing the rebuttable
presumption. The Committee expects that during the rulemaking
or guidance process mandated by this paragraph, those
stakeholders that the FTC is required to consult with will
identify, and the FTC will consider, a broad range of
technologies and methodologies including, but not limited to,
access controls, data association, data masking, encryption,
non-persistent storage on devices, physical anti-tamper
devices, redaction, and remotely triggered kill-pill
technologies. This ongoing process is intended to encourage
innovation and foster the development and adoption of new,
information security technologies and methodologies.
Section 3(g) provides the FTC with the discretion to place
a notice of a breach of security it has received pursuant to
section 3(a)(2) on its website if the FTC finds that such
notice would be in the public interest or for the protection of
consumers. In making a determination, the FTC should consider
not only the benefits to consumers and the public interest, but
also any possible harm that could result from such publication,
including the possible facilitation of phishing attacks or the
causing of undue consumer concern and confusion.
Section 3(h) requires the FTC to conduct a study on the
practicality and cost effectiveness of requiring notice to be
provided in a language in addition to English to individuals
known to speak only a language other than English.
Section 3(i) provides the FTC with discretionary rulemaking
authority to issue rules necessary for the FTC to effectively
enforce section 3.
Section 3(j) provides that the FTC shall determine through
rulemaking which other federal laws that require persons
subject to H.R. 2221 to provide notice to individuals following
a breach of security provide protections substantially similar
to, or greater than, those required under section 3. Any
person, who is in compliance with the identified federal law,
shall be deemed to be in compliance with section 3 and the
implementing regulations of the FTC. It is the intent of the
Committee to avoid the imposition of duplicative, inconsistent,
or overlapping regulations while ensuring that consumers
receive notification of information security breaches.
Section 4. Application and enforcement
Section 4(a) provides that sections 2 and 3 only apply to
those persons, partnerships, or corporations over which the FTC
has authority pursuant to section 5(a)(2) of the FTC Act.
Section 4(b) provides for enforcement by the FTC and
establishes that a violation of section 2 or 3 shall be treated
as an unfair or deceptive act or practice in violation of a
regulation under section 18 of the FTC Act. Section 4(b)(3)
explicitly prohibits the FTC, when promulgating rules under
this Act, from requiring the deployment or use of any specific
products or technologies, including any specific hardware or
software.
Section 4(c)(1) provides for enforcement by the attorney
general of a state, or an official or agency of a state, for
violations of section 2 and 3. Section 4(c)(2) sets out the
specific methods for calculating civil penalties in actions
brought by the attorney general of a state, or an official or
agency of a state. Section 4(c)(2)(C) limits the maximum total
liability for civil penalties. Section 4(c)(3) imposes specific
obligations and limitations on state actions.
Section 4(d)(1) establishes an affirmative defense to an
enforcement action brought under subsection 4(b), or a civil
action brought under subsection 4(c), based on a violation of
section 3, that all of the personal information compromised in
a particular breach of security is public record information
acquired from such public records. Section 4(d)(2) provides
that the affirmative defense does not exempt any person from
the requirement to notify the FTC of a breach of security as
required under section 3(a).
Section 5. Definitions
Section 5 contains the definitions that apply to the Act.
Paragraph (1) defines ``breach of security'' to mean the
unauthorized access to or acquisition of data in electronic
form containing personal information.
Paragraph (2) defines the term ``Commission'' to mean the
Federal Trade Commission.
Paragraph (3) defines the term ``data in electronic form''
to mean any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices. The definition includes data
stored on removable media and portable storage devices.
Paragraph (4) defines the term ``encryption'' to mean the
protection of data in electronic form in storage or in transit
using an encryption technology that has been adopted by an
established standards setting body that renders data
indecipherable in the absence of the cryptographic keys needed
to decrypt the data. Such encryption must include the
appropriate management and protection of the keys.
Paragraph (5) defines the term ``identity theft'' to mean
the unauthorized use of another person's personal information
for the purpose of engaging in commercial transactions under
the name of that other person. While identity theft has
predominantly involved account fraud, including the misuse of
existing accounts and new account fraud, the term captures
other equally harmful actions that occur in commerce that do
not constitute account fraud.
Paragraph (6)(A) defines the term ``information broker'' to
mean a commercial entity whose business is to collect,
assemble, or maintain personal information concerning
individuals who are not current or former customers of such
entity in order to sell that information or provide access to
that information to any non-affiliated third party. This term
includes entities who meet this definition as to any part of
their overall business. Some entities may have other business
lines under which they conduct transactions directly with
individual customers. Any entity will be considered an
information broker if any part of its business meets the
definition.
Paragraph (6)(B) excludes from the definition of
information broker a commercial entity to the extent that it
processes information collected by and received from a
nonaffiliated third party concerning individuals who are
current or former customers or employees of that third party to
enable that third party to (1) provide benefits for its
employees or (2) directly transact business with its customers.
This subparagraph clarifies that ``information broker'' does
not include an entity where the collection or processing of
information is incidental to its provision of other services,
such as the provision of employee benefits. The phrase
``collected by and received from a nonaffiliated third party''
includes information collected on behalf of such nonaffiliated
third party, received directly from the individual about whom
the information relates. During the course of administration of
an employee benefit plan, for example, an entity may, on behalf
of the plan, directly collect and receive data (e.g. phone
numbers, address updates, bank deposit/EFT instructions) from
individual employees.
Paragraph (7) provides that the term ``personal
information'' means an individual's first name or initial and
last name, or address, or phone number, in combination with any
one or more of the following data elements for that individual:
Social Security number; driver's license number, passport
number, military identification number, or other similar number
issued on a government document used to verify identity;
financial account number, or credit or debit card number, and
any required security code, access code, or password that is
necessary to permit access to an individual's financial
account. An individual's first name or initial and last name,
or address, or phone number, in combination with a financial
account number, or credit or debit card number alone,
constitutes ``personal information'' for the purposes of this
Act where such information, without a security code, access
code, or password, could be used to commit identity theft,
fraud, or other unlawful conduct. For example, information
contained in the magnetic field on the back of a credit card
contains only the card holder's name and the card number, along
with associated security data. For most credit cards, theft of
this information, without a PIN or password, is adequate to
duplicate the card and steal goods. Therefore, the definition
of personal information includes the name and card number
information contained in the magnetic fields of a credit card.
Pursuant to paragraph 7(B), the FTC may modify the
definition of ``personal information'' through rulemaking, but
only to the extent that modification will not unreasonably
impede interstate commerce and will accomplish the purposes of
this Act. In addition, for the purpose of section 3, the FTC
must further find that modification is necessary to accommodate
changes in technology or practices.
Paragraph (8) defines the term ``public record
information'' to mean information about an individual that has
been obtained originally from records of a federal, state, or
local government entity that are available for public
inspection.
Paragraph (9) defines the term ``non-public information''
to mean information about an individual that is of a private
nature and neither available to the general public nor obtained
from a public record.
Paragraph (10) defines the term ``service provider'' to
mean an entity that provides to a user transmission, routing,
intermediate and transient storage, or connections to its
system or network, for electronic communications, between or
among points specified by such user of material of the user's
choosing, without modification to the content of the material
as sent or received. Any such entity shall be treated as a
service provider under this Act only to the extent that it is
engaged in the provision of such transmission, routing,
intermediate and transient storage, or connections. In this
context, intermediate or transient storage is to be interpreted
narrowly to only cover temporary storage in the course of
transmission or routing. Furthermore, the term service provider
only applies to those entities that serve as a conduit of
information and only to the specific activities of providing
transmission, routing, intermediate and transient storage or
connections. The service provider does not treat personal
information it is transmitting or routing any differently from
any other data sent over its pipes. An entity that processes
information, or serves as an intermediary for the transmission
or processing of specific categories of information, such as a
credit card processor receiving and forwarding credit card
information, does not meet this definition.
Section 6. Effect on other laws
Section 6 provides that this Act preempts any provision of
a state law to the extent a state law expressly requires
information security practices and treatment of data containing
personal information similar to any of those required under
section 2; and requires notification to individuals of a breach
of security resulting in unauthorized access to or acquisition
of data in electronic form containing personal information.
Section 6 further provides that no person other than a person
specified in section 4(c) may bring a civil action under the
laws of any state if such action is premised in whole or in
part upon the defendant violating any provisions of this Act,
but makes clear that this provision shall not be construed to
limit the enforcement of any state consumer protection law by
an attorney general of a state.
Section 7. Effective date
Section 7 establishes the effective date as 1 year after
enactment of this Act.
Section 8. Authorization of appropriations
Section 8 authorizes appropriations of $1 million for each
fiscal year from 2010 to 2015 to carry out the provisions of
this Act.
EXPLANATION OF AMENDMENTS
During the full Committee markup of H.R. 2221, Chairman
Waxman offered an amendment in the nature of a substitute as a
manager's amendment. The bipartisan amendment not only
incorporated the changes made in Subcommittee, but also
included several additional changes to the bill.
In section 2, the manager's amendment streamlined the
ability of the FTC to conduct rulemaking concerning the
destruction of paper documents. The manager's amendment also
clarified that persons subject to security requirements under
other relevant federal statutes will be deemed to be in
compliance with the bill's security requirements provided that
those safeguards are ``substantially similar to or greater
than'' the requirements of this bill. In addition, the
amendment clarified the telecommunications exemption in section
2 to ensure that certain service providers are exempt from the
security requirements only to the extent they are serving as
the conduit for the transmission of information.
With respect to the information broker provisions in
section 2(b), the amendment: (1) clarified the exemption for
fraud databases from the accuracy requirements under certain
circumstances; (2) established a new procedure that permits
information brokers to offer consumers the ability to prohibit
the use of their information for marketing purposes in lieu of
complying with the bill's access and correction provisions for
marketing databases; and (3) further clarified that compliance
with the Fair Credit Reporting Act constitutes compliance with
the accuracy, access, and correction requirements of this Act.
The amendment deleted the provision in section 3 of the
bill concerning breaches of health information; added a
requirement that consumers be provided with notice not later
than 60 days after the discovery of the breach; provided that
in lieu of free credit reports for individuals who have
experienced a breach, a breached entity may provide affected
individuals with credit monitoring or other services that
assist in the detection or prevention of the misuse of their
personal information; and revised provisions concerning the
presumption that there is no reasonable risk of identity theft
so that the presumption is more technology neutral and remains
current and relevant as technology evolves. In addition, as
with section 2, the amendment clarified the scope and
application of the limited telecommunications exemption in
section 3 to ensure that such exception only applies to service
providers when serving as the conduit for the transmission of
information.
Further, the amendment clarified that the Act only applies
to commercial entities subject to FTC jurisdiction and that the
civil penalty cap that applies to enforcement by the states may
not exceed $5 million for each violation. Finally, the
amendment added language to clarify the definition of
information broker.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
There are no changes in existing federal law made by the
bill, as reported.
�