[House Report 109-453]
[From the U.S. Government Publishing Office]
109th Congress Rept. 109-453
HOUSE OF REPRESENTATIVES
2d Session Part 2
======================================================================
DATA ACCOUNTABILITY AND TRUST ACT (DATA)
_______
May 26, 2006.--Ordered to be printed
_______
Mr. Sensenbrenner, from the Committee on the Judiciary submitted the
following
R E P O R T
[To accompany H.R. 4127]
[Including Committee on the Judiciary cost estimate]
The Committee on the Judiciary, to whom was referred the
bill (H.R. 4127) to protect consumers by requiring reasonable
security policies and procedures to protect computerized data
containing personal information, and to provide for nationwide
notice in the event of security breach, having considered the
same, report favorably thereon with an amendment and recommend
that the bill as amended do pass.
CONTENTS
Page
The Amendment.................................................... 1
Purpose and Summary.............................................. 9
Background and Need for Legislation.............................. 10
Hearings......................................................... 11
Committee Consideration.......................................... 12
Vote of the Committee............................................ 12
Committee Oversight Findings..................................... 12
New Budget Authority and Tax Expenditures........................ 12
Committee Cost Estimate.......................................... 12
Performance Goals and Objectives................................. 13
Constitutional Authority Statement............................... 13
Section-by-Section Analysis and Discussion....................... 13
THE AMENDMENT
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Accountability and Trust Act
(DATA)''.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures.--
(1) Regulations.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require each person engaged in interstate commerce that owns
or possesses data in electronic form containing personal
information, or contracts to have any third party entity
maintain such data for such person, to establish and implement
policies and procedures regarding information security
practices for the treatment and protection of personal
informtion taking into consideration--
(A) the size of, and the nature, scope, and
complexity of the activities engaged in by, such
person;
(B) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(C) the cost of implementing such safeguards.
(2) Requirements.--Such regulations shall require the
policies and procedures to include the following:
(A) A security policy with respect to the collection,
use, sale, other dissemination, and maintenance of such
personal information.
(B) The identification of an officer or other
individual as the point of contact with responsibility
for the management of information security.
(C) A process for identifying and assessing any
reasonably foreseeable vulnerabilities in the system
maintained by such person that contains such electronic
data, which shall include regular monitoring for a
breach of security of such system.
(D) A process for taking preventive and corrective
action to mitigate against any vulnerabilities
identified in the process required by subparagraph (C),
which may include implementing any changes to security
practices and the architecture, installation, or
implementation of network or operating software.
(E) A process for disposing of obsolete data in
electronic form containing personal information by
shredding, permanently erasing, or otherwise modifying
the personal information contained in such data to make
such personal information permanently unreadable or
undecipherable.
(3) Treatment of entities governed by other law.--In
promulgating the regulations under this subsection, the
Commission may determine to be in compliance with this
subsection any person who is required under any other Federal
law to maintain standards and safeguards for information
security and protection of personal information that provide
equal or greater protection than those required under this
subsection.
(b) Destruction of Obsolete Paper Records Containing Personal
Information.--
(1) Study.--Not later than 1 year after the date of enactment
of this Act, the Commission shall conduct a study on the
practicality of requiring a standard method or methods for the
destruction of obsolete paper documents and other non-
electronic data containing personal information by persons
engaged in interstate commerce who own or possess such paper
documents and non-electronic data. The study shall consider the
cost, benefit, feasibility, and effect of a requirement of
shredding or other permanent destruction of such paper
documents and non-electronic data.
(2) Regulations.--The Commission may promulgate regulations
under section 553 of title 5, United States Code, requiring a
standard method or methods for the destruction of obsolete
paper documents and other non-electronic data containing
personal information by persons engaged in interstate commerce
who own or possess such paper documents and non-electronic data
if the Commission finds that--
(A) the improper disposal of obsolete paper documents
and other non-electronic data creates a reasonable risk
of identity theft, fraud, or other unlawful conduct;
(B) such a requirement would be effective in
preventing identity theft, fraud, or other unlawful
conduct;
(C) the benefit in preventing identity theft, fraud,
or other unlawful conduct would outweigh the cost to
persons subject to such a requirement; and
(D) compliance with such a requirement would be
practicable.
In enforcing any such regulations, the Commission may determine to be
in compliance with such regulations any person who is required under
any other Federal law to dispose of obsolete paper documents and other
non-electronic data containing personal information if such other
Federal law provides equal or greater protection or personal
information than the regulations promulgated under this subsection.
(c) Special Requirements for Information Brokers.--
(1) Submission of policies to the ftc.--The regulations
promulgated under subsection (a) shall require information
brokers to submit their security policies to the Commission in
conjunction with a notification of a breach of security under
section 3 or upon request of the Commission.
(2) Post-breach audit.--For any information broker required
to provide notification under section 3, the Commission shall
conduct an audit of the information security practices of such
information broker, or require the information broker to
conduct an independent audit of such practices (by an
independent auditor who has not audited such information
broker's security practices during the preceding 5 years). The
Commission may conduct or require additional audits for a
period of 5 years following the breach of security or until the
Commission determines that the security practices of the
information broker are in compliance with the requirements of
this section and are adequate to prevent further breaches of
security.
(3) Verification of and individual access to personal
information.--
(A) Verification.--Each information broker shall
establish reasonable procedures to verify the accuracy
of the personal information it collects, assembles, or
maintains, and any other information it collects,
assembles, or maintains that specifically identifies an
individual, other than information which merely
identifies an individual's name or address.
(B) Consumer access to information.--
(i) Access.--Each information broker shall--
(I) provide to each individual whose
personal information it maintains, at
the individual's request at least 1
time per year and at no cost to the
individual, and after verifying the
identity of such individual, a means
for the individual to review any
personal information regarding such
individual maintained by the
information broker and any other
information maintained by the
information broker that specifically
identifies such individual, other than
information which merely identifies an
individual's name or address; and
(II) place a conspicuous notice on
its Internet website (if the
information broker maintains such a
website) instructing individuals how to
request access to the information
required to be provided under subclause
(I).
(ii) Disputed information.--Whenever an
individual whose information the information
broker maintains makes a written request
disputing the accuracy of any such information,
the information broker, after verifying the
identity of the individual making such request
and unless there are reasonable grounds to
believe such request is frivolous or
irrelevant, shall--
(I) correct any inaccuracy; or
(II)(aa) in the case of information
that is public record information,
inform the individual of the source of
the information, and, if reasonably
available, where a request for
correction may be directed; or
(bb) in the case of information that
is non-public information, note the
information that is disputed, including
the individual's statement disputing
such information, and take reasonable
steps to independently verify such
information under the procedures
outlined in subparagraph (A) if such
information can be independently
verified.
(iii) Limitations.--An information broker may
limit the access to information required under
subparagraph (B) in the following
circumstances:
(I) If access of the individual to
the information is limited by law or
legally recognized privilege.
(II) If the information is used for a
legitimate governmental or fraud
prevention purpose that would be
compromised by such access.
(iv) Rulemaking.--The Commission shall issue
regulations, as necessary, under section 553 of
title 5, United States Code, on the application
of the limitations in clause (iii).
(C) Treatment of entities governed by other law.--The
Commission may promulgate rules (under section 553 of
title 5, United States Code) to determine to be in
compliance with this paragraph any person who is a
consumer reporting agency, as defined in section 603(f)
of the Fair Credit Reporting Act, with respect to those
products and services that are subject to and in
compliance with the requirements of that Act.
(4) Requirement of audit log of accessed and transmitted
information.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, UnitedStates Code, to
require information brokers to establish measures which facilitate the
auditing or retracing of any internal or external access to, or
transmissions of, any data in electronic form containing personal
information collected, assembled, or maintained by such information
broker.
(5) Prohibition on pretexting by information brokers.--
(A) Prohibition on obtaining personal information by
false pretenses.--It shall be unlawful for an
information broker to obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be
disclosed to any person, personal information or any
other information relating to any person by--
(i) making a false, fictitious, or fraudulent
statement or representation to any person; or
(ii) providing any document or other
information to any person that the information
broker knows or should know to be forged,
counterfeit, lost, stolen, or fraudulently
obtained, or to contain a false, fictitious, or
fraudulent statement or representation.
(B) Prohibition on solicitation to obtain personal
information under false pretenses.--It shall be
unlawful for an information broker to request a person
to obtain personal information or any other information
relating to any other person, if the information broker
knew or should have known that the person to whom such
a request is made will obtain or attempt to obtain such
information in the manner described in subsection (a).
(d) Exemption for Telecommunications Carrier, Cable Operator,
Information Service, or Interactive Computer Service.--Nothing in this
section shall apply to any electronic communication by a third party
stored by a telecommunications carrier, cable operator, or information
service, as those terms are defined in section 3 of the Communications
Act of 1934 (47 U.S.C. 153), or an interactive computer service, as
such term is defined in section 230(f)(2) of such Act (47 U.S.C.
230(f)(2)).
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Nationwide Notification.--Any person engaged in interstate
commerce that owns or possesses data in electronic form containing
personal information shall, following the discovery of a breach of
security of the system maintained by such person that contains such
data--
(1) notify each individual who is a citizen or resident of
the United States whose personal information was acquired by an
unauthorized person as a result of such a breach of security;
and
(2) notify the Commission.
(b) Special Notification Requirement for Certain Entities.--
(1) Third party agents.--In the event of a breach of security
by any third party entity that has been contracted to maintain
or process data in electronic form containing personal
information on behalf of any other person who owns or possesses
such data, such third party entity shall be required only to
notify such person of the breach of security. Upon receiving
such notification from such third party, such person shall
provide the notification required under subsection (a).
(2) Telecommunications carriers, cable operators, information
services, and interactive computer services.--If a
telecommunications carrier, cable operator, or information
service (as such terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153)), or an interactive
computer service (as such term is defined in section 230(f)(2)
of such Act (47 U.S.C. 230(f)(2))), becomes aware of a breach
of security during the transmission of data in electronic form
containing personal information that is owned or possessed by
another person utilizing the means of transmission of such
telecommunications carrier, cable operator, information
service, or interactive computer service, such
telecommunications carrier, cable operator, information
service, or interactive computer service shall be required only
to notify the person who initiated such transmission of such a
breach of security if such person can be reasonably identified.
Upon receiving such notification from a telecommunications
carrier, cable operator, information service, or interactive
computer service, such person shall provide the notification
required under subsection (a).
(3) Breach of health information.--If the Commission receives
a notification of a breach of security and determines that
information included in such breach is individually
identifiable health information (as such term is defined in
section 1171(6) of the Social Security Act (42 U.S.C.
1320d(6)), the Commission shall send a copy of such
notification to the Secretary of Health and Human Services.
(c) Timeliness of Notification.--All notifications required under
subsection (a) shall be made as promptly as possible and without
unreasonable delay following the discovery of a breach of security of
the system and consistent with any measures necessary to determine the
scope of the breach, prevent further breach or unauthorized
disclosures, and reasonably restore the integrity of the data system.
(d) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A person required to
provide notification to individuals under subsection
(a)(1) shall be in compliance with such requirement if
the person provides conspicuous and clearly identified
notification by one of the following methods (provided
the selected method can reasonably be expected to reach
the intended individual):
(i) Written notification.
(ii) Email notification, if--
(I) the person's primary method of
communication with the individual is by
email; or
(II) the individual has consented to
receive such notification and the
notification is provided in a manner
that is consistent with the provisions
permitting electronic transmission of
notices under section 101 of the
Electronic Signatures in Global
Commerce Act (15 U.S.C. 7001).
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A), such notification
shall include--
(i) a description of the personal information
that was acquired by an unauthorized person;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the person to inquire about the breach
of security or the information the person
maintained about that individual;
(iii) notice that the individual is entitled
to receive, at no cost to such individual,
consumer credit reports on a quarterly basis
for a period of 2 years, and instructions to
the individual on requesting such reports from
the person;
(iv) the toll-free contact telephone numbers
and addresses for the major credit reporting
agencies; and
(v) a toll-free telephone number and Internet
website address for the Commission whereby the
individual may obtain information regarding
identity theft.
(2) Substitute notification.--
(A) Circumstances giving rise to substitute
notification.--A person required to provide
notification to individuals under subsection (a)(1) may
provide substitute notification in lieu of the direct
notification required by paragraph (1) if--
(i) the person owns or possesses data in
electronic form containing personal information
of fewer than 1,000 individuals; and
(ii) such direct notification is not feasible
due to--
(I) excessive cost to the person
required to provide such notification
relative to the resources of such
person, as determined in accordance
with the regulations issued by the
Commission under paragraph (3)(A); or
(II) lack of sufficient contact
information for the individual required
to be notified.
(B) Form of substitute notice.--Such substitute
notification shall include--
(i) email notification to the extent that the
person has email addresses of individuals to
whom it is required to provide notification
under subsection (a)(1);
(ii) a conspicuous notice on the Internet
website of the person (if such person maintains
such a website); and
(iii) notification in print and to broadcast
media, including major media in metropolitan
and rural areas where the individuals whose
personal information was acquired reside.
(C) Content of substitute notice.--Each form of
substitute notice under this paragraph shall include--
(i) notice that individuals whose personal
information is included in the breach of
security are entitled to receive, at no cost to
the individuals, consumer credit reports on a
quarterly basis for a period of 2 years, and
instructions on requesting such reports from
the person; and
(ii) a telephone number by which an
individual can, at no cost to such individual,
learn whether that individual's personal
information is included in the breach of
security.
(3) Federal trade commission regulations and guidance.--
(A) Regulations.--Not later than 1year after the date
of enactment of this Act, the Commission shall, by
regulations under section 553 of title 5, United States
Code, establish criteria for determining the
circumstances under which substitute notification may
be provided under paragraph (2), including criteria for
determining if notification under paragraph (1) is not
feasible due to excessive cost to the person required
to provide such notification relative to the resources
of such person.
(B) Guidance.--In addition, the Commission shall
provide and publish general guidance with respect to
compliance with this section. Such guidance shall
include--
(i) a description of written or email
notification that complies with the
requirements of paragraph (1); and
(ii) guidance on the content of substitute
notification under paragraph (2)(B), including
the extent of notification to print and
broadcast media that complies with the
requirements of such paragraph.
(e) Other Obligations Following Breach.--A person required to
provide notification under subsection (a) shall, upon request of an
individual whose personal information was included in the breach of
security, provide or arrange for the provision of, to each such
individual and at no cost to such individual, consumer credit reports
from at least one of the major credit reporting agencies beginning not
later than 2 months following the discovery of a breach of security and
continuing on a quarterly basis for a period of 2 years thereafter.
(f) Exemption.--
(1) General exemption.--A person shall be exempt from the
requirements under this section if, following a breach of
security, such person determines that there is no reasonable
risk of identity theft, fraud, or other unlawful conduct.
(2) Presumptions.--
(A) Encryption.--The encryption of data in electronic
form shall establish a presumption that no reasonable
risk of identity theft, fraud, or other unlawful
conduct exists following a breach of security of such
data. Any such presumption may be rebutted by facts
demonstrating that the encryption has been or is
reasonably likely to be compromised.
(B) Additional methodologies or technologies.--Not
later than 270 days after the date of the enactment of
this Act, the Commission shall, by rule pursuant to
section 553 of title 5, United States Code, identify
any additional security methodology or technology,
other than encryption, which renders data in electronic
form unreadable or indecipherable, that shall, if
applied to such data, establish a presumption that no
reasonable risk of identity theft, fraud, or other
unlawful conduct exists following a breach of security
of such data. Any such presumption may be rebutted by
facts demonstrating that any such methodology or
technology has been or is reasonably likely to be
compromised. In promulgating such a rule, the
Commission shall consult with relevant industries,
consumer organizations, and data security and identity
theft prevention experts and established standards
setting bodies.
(3) FTC guidance.--Not later than 1 year after the date of
the enactment of this Act, the Commission shall issue guidance
regarding the application of the exemption in paragraph (1).
(g) Website Notice of Federal Trade Commission.--If the Commission,
upon receiving notification of any breach of security that is reported
to the Commission under subsection (a)(2), finds that notification of
such a breach of security via the Commission's Internet website would
be in the public interest or for the protection of consumers, the
Commission shall place such a notice in a clear and conspicuous
location on its Internet website.
(h) FTC Study on Notification in Languages in Addition to
English.--Not later than 1 year after the date of enactment of this
Act, the Commission shall conduct a study on the practicality and cost
effectiveness of requiring the notification required by subsection
(d)(1) to be provided in a language in addition to English to
individuals known to speak only such other language.
(i) Special Notification Requirement for Federal Agencies.--
(1) Nationwide notification.--Any Federal agency that owns or
possesses data in electronic form containing personal
information shall, following the discovery of a breach of
security of the system maintained by such agency that contains
such data, notify each individual who is a citizen or resident
of the United States whose personal information was acquired by
an unauthorized person as a result of such a breach of security
(2) Method and content of notification.--
(A) Method of notification.--A Federal agency
required to provide written notification to individuals
under paragraph (1) shall be in compliance with such
requirement if the agency provides conspicuous and
clearly identified written notification that includes
the content required under subparagraph (B).
(B) Content of notification.--Notification required
under this subsection shall include--
(i) a description of the personal information
that was acquired by an unauthorized person;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the Federal agency to inquire about the
breach of security or the information the
Federal agency maintained about that
individual;
(iii) the toll-free contact telephone number
and addresses for the major credit reporting
agencies; and
(iv) a toll-free telephone number and
Internet website address whereby the individual
may obtain information regarding identity
theft.
(3) Exemption.--A Federal agency shall be exempt from the
requirements of this subsection if, following a breach of
security, such agency determines that there is no reasonable
risk of identity theft, fraud, or other unlawful conduct.
SEC. 4. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair and deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of commission.--The Commission shall enforce this
Act in the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all applicable terms
and provisions of the Federal Trade Commission Act (15 U.S.C.
41 et seq.) were incorporated into and made a part of this Act.
Any person who violates such regulations shall be subject to
the penalties and entitled to the privileges and immunities
provided in that Act.
(3) Limitation.--In promulgating rules under this Act, the
Commission shall not require the deployment or use of any
specific products or technologies, including any specific
computer software or hardware.
(b) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which the attorney general
of a State, or an official or agency of a State, has reason to
believe that an interest of the residents of that State has
been or is threatened or adversely affected by any person who
violates section 2 or 3 of this Act, the attorney general,
official, or agency of the State, as parens patriae, may bring
a civil action on behalf of the residents of the State in a
district court of the United States of appropriate
jurisdiction--
(A) to enjoin further violation of such section by
the defendant;
(B) to compel compliance with such section; or
(C) to obtain civil penalties in the amount
determined under paragraph (2).
(2) Civil penalties.--
(A) Calculation.--
(i) Treatment of violations of section 2.--
For purposes of paragraph (1)(C) with regard to
a violation of section 2, the amount determined
under this paragraph is the amount calculated
by multiplying the number of violations of such
section by an amount not greater than $11,000.
Each day that a person is not in compliance
with the requirements of such section shall be
treated as a separate violation. The maximum
civil penalty calculated under this clause
shall not exceed $5,000,000.
(ii) Treatment of violations of section 3.--
For purposes of paragraph (1)(C) with regard to
a violation of section 3, the amount determined
under this paragraph is the amount calculated
by multiplying the number of violations of such
section by an amount not greater than $11,000.
Each failure to send notification as required
under section 3 to a resident of the State
shall be treated as a separate violation.
Themaximum civil penalty calculated under this clause shall not exceed
$5,000,000.
(B) Adjustment for inflation.--Beginning on the date
that the Consumer Price Index is first published by the
Bureau of Labor Statistics that is after 1 year after
the date of enactment of this Act, and each year
thereafter, the amounts specified in clauses (i) and
(ii) of subparagraph (A) shall be increased by the
percentage increase in the Consumer Price Index
published on that date from the Consumer Price Index
published the previous year.
(3) Intervention by the ftc.--
(A) Notice and intervention.--The State shall provide
prior written notice of any action under paragraph (1)
to the Commission and provide the Commission with a
copy of its complaint, except in any case in which such
prior notice is not feasible, in which case the State
shall serve such notice immediately upon instituting
such action. The Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on all
matters arising therein; and
(iii) to file petitions for appeal.
(B) Limitation on state action while federal action
is pending.--If the Commission has instituted a civil
action for violation of this Act, no State attorney
general, or official or agency of a State, may bring an
action under this subsection during the pendency of
that action against any defendant named in the
complaint of the Commission for any violation of this
Act alleged in the complaint.
(4) Construction.--For purposes of bringing any civil action
under paragraph (1), nothing in this Act shall be construed to
prevent an attorney general of a State from exercising the
powers conferred on the attorney general by the laws of that
State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(c) Affirmative Defense for a Violation of Section 3.--It shall be
an affirmative defense to an enforcement action brought under
subsection (a), or a civil action brought under subsection (b), based
on a violation of section 3, that all of the personal information
contained in the data in electronic form that was acquired as a result
of a breach of security of the defendant is public record information
that is lawfully made available to the general public from Federal,
State, or local government records and was acquired by the defendant
from such records.
SEC. 5. DEFINITIONS.
In this Act the following definitions apply:
(1) Breach of security.--The term ``breach of security''
means the unauthorized acquisition of data in electronic form
containing personal information.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(4) Encryption.--The term ``encryption'' means the protection
of data in electronic form in storage or in transit using an
encryption technology that has been adopted by an established
standards setting body which renders such data indecipherable
in the absence of associated cryptographic keys necessary to
enable decryption of such data. Such encryption must include
appropriate management and safeguards of such keys to protect
the integrity of the encryption.
(5) Identity theft.--The term ``identity theft'' means the
unauthorized use of another person's personal information for
the purpose of engaging in commercial transactions under the
name of such other person.
(6) Information broker.--The term ``information broker''
means a commercial entity whose business is to collect,
assemble, or maintain personal information concerning
individuals who are not current or former customers of such
entity in order to sell such information or provide access to
such information to any nonaffiliated third party in exchange
for consideration, whether such collection, assembly, or
maintenance of personal information is performed by the
information broker directly, or by contract or subcontract with
any other entity.
(7) Personal information.--
(A) Definition.--The term ``personal information''
means an individual's first name or initial and last
name, or address, or phone number, in combination with
any 1 or more of the following data elements for that
individual:
(i) Social Security number.
(ii) Driver's license number or other State
identification number.
(iii) Financial account number, or credit or
debit card number, and any required security
code, access code, or password that is
necessary to permit access to an individual's
financial account.
(B) Modified definition by rulemaking.--The
Commission may, by rule, modify the definition of
``personal information'' under subparagraph (A) to the
extent that such modification is necessary to
accommodate changes in technology or practices, will
not unreasonably impede interstate commerce, and will
accomplish the purposes of this Act.
(8) Public record information.--The term ``public record
information'' means information about an individual which has
been obtained originally from records of a Federal, State, or
local government entity that are available for public
inspection.
(9) Non-public information.--The term ``non-public
information'' means information about an individual that is of
a private nature and neither available to the general public
nor obtained from a public record.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws.--This Act
supersedes any provision of a statute, regulation, or rule of a State
or political subdivision of a State, with respect to those entities
covered by the regulations issued pursuant to this Act, that
expressly--
(1) requires information security practices and treatment of
data in electronic form containing personal information similar
to any of those required under section 2; and
(2) requires notification to individuals of a breach of
security resulting in unauthorized acquisition of data in
electronic form containing personal information.
(b) Additional Preemption.--
(1) In general.--No person other than the Attorney General of
a State may bring a civil action under the laws of any State if
such action is premised in whole or in part upon the defendant
violating any provision of this Act.
(2) Protection of consumer protection laws.--This subsection
shall not be construed to limit the enforcement of any State
consumer protection law by an Attorney General of a State.
(c) Protection of Certain State Laws.--This Act shall not be
construed to preempt the applicability of--
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate to
acts of fraud.
(d) Preservation of FTC Authority.--Nothing in this Act may be
construed in any way to limit or affect the Commission's authority
under any other provision of law, including the authority to issue
advisory opinions (under part 1 of volume 16 of the Code of Federal
Regulations), policy statements, or guidance regarding this Act.
SEC. 7. EFFECTIVE DATE AND SUNSET.
(a) Effective Date.--This Act shall take effect 1 year after the
date of enactment of this Act.
(b) Sunset.--This Act shall cease to be in effect on the date that
is 10 years from the date of enactment of this Act.
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Commission $1,000,000
for each of fiscal years 2006 through 2010 to carry out this Act.
PURPOSE AND SUMMARY
As reported by the Committee on the Judiciary, H.R. 4127,
the ``Data Accountability and Trust Act of 2006,'' is intended
to protect consumers by requiring security policies and
procedures to protect computerized data containing personal
information, and to provide nationwide notice to consumers in
the event of a breach of such data. The bill authorizes the
Federal Trade Commission (FTC) to establish such policies and
procedures, which would be enforced by the FTC and State
Attorneys General. An amendment added by the Judiciary
Committee would also require Federal departments and agencies
to notify consumers of data breaches in the same manner as the
private sector.
BACKGROUND AND NEED FOR THE LEGISLATION
On May 4, 2006, the Committee on Energy and Commerce
reported H.R. 4127, the ``Data Accountability and Trust Act of
2006.'' \1\ The bill was sequentially referred to the Committee
on the Judiciary for a period ending not later than June 2,
2006. The sections within the jurisdiction of the Committee on
the Judiciary pertain to civil enforcement by State Attorneys
General, and related civil penalties, as well as the bill's
effect on State laws related to trespass, contract, tort law
and acts of fraud.
---------------------------------------------------------------------------
\1\ See H.R. Rep. No. 109-453, Part I (2006).
---------------------------------------------------------------------------
The Committee on the Judiciary became acutely aware of the
need to provide greater oversight and regulation of personally
identifiable data with the revelation in February 2005 that
organized criminals had fraudulently obtained personal data on
nearly 145,000 consumers from ChoicePoint, Inc., an Alpharetta,
Georgia-based data broker.\2\ The criminals used the data to
commit various acts of identity theft. Since that watershed
breach, businesses that maintain such data, including other
data brokers,\3\ financial institutions,\4\ media companies,\5\
retailers,\6\ universities,\7\ and Federal government agencies
\8\ have experienced similar breaches involving sensitive
information that can be used to commit identity theft.
---------------------------------------------------------------------------
\2\ Joseph Menn, Fraud Ring Taps Into Credit Data, L.A. Times,
February 15, 2005 at 1.
\3\ David Colker, ID Thieves Tap Files at 2nd Big Data Firm, L.A.
Times, March 10, 2005 at 1.
\4\ Mark Mueller, Inside Ring is Charged in Financial Data Scheme,
Nwrk. Star-Ledger, April 29, 2005 at 21.
\5\ Jon Swartz, Time-Warner Data on 600,000 Missing, USA Today, May
3, 2005.
\6\ Bill Husted & David Markiewicz, I.D. Theft Slams Chain, 1.4
Million Cards Stolen, Atl.J-Const., April 20, 2005 at 1.
\7\ Allison Kolodziej, Data Thieves Prey on Colleges: Schools
Becoming More Vigilant to Safeguard Personal Information, Columbus
Dis., May 13, 2006 (online version).
\8\ Christopher Lee, Personal Data on Veterans is Stolen, Wash.
Post, May 23, 2006 at A1.
---------------------------------------------------------------------------
Although the focus of public attention has been on the
missteps of data brokers, the Judiciary Committee understands
that data brokers provide a wide array of beneficial
information services to business and government entities,
particularly law enforcement. For example, data broker
information is used by Federal, State and local law enforcement
officials in locating criminals, such as those who fail to
appear at trial, or fail to pay court-ordered child support.
Businesses also use data broker-provided services to detect and
deter fraudulent transactions. Despite these benefits, the
seeming epidemic in data breaches over the last year raises
serious questions about the aggregation of sensitive consumer
information, whether this information is protected adequately
from misuse and unauthorized disclosure, and the relationship,
if any, to the increase in identity theft and other crimes.
Data security breaches have raised questions about the
sufficiency of current laws to protect consumer information
from identity theft. Although there are Federal laws that
provide standards for disclosure of some types of personal
information and require certain entities to take steps to
safeguard personal information, there is no comprehensive
Federal law dealing with data security. In addition, many of
our Federal laws have not been adequately updated since the
growth of the Internet as a tool of commerce during the last
decade, making consumers as vulnerable as they have ever been
to the threat of identity theft.
H.R. 4127 attempts to create a uniform Federal standard for
the protection of sensitive personal information and for
providing notice to consumers in the event that their personal
information is compromised by a security breach. The bill
authorizes the Federal Trade Commission (FTC) to set such
standards, and enforce those standards as violations of Section
5 of the Federal Trade Commission Act. The legislation also
authorizes State Attorneys General to enforce the Federal law
and obtain civil penalties for violations of the Act.
The Committee on the Judiciary supports the goal of
crafting comprehensive, rational, and non-duplicative national
standards for handling data breaches involving personal
information. Unfortunately, H.R. 4127 as reported to the
Judiciary Committee falls short of that goal in a few key
areas.
First, the bill permits the FTC to regulate the data
collection and retention activities of virtually any entity
that owns or possesses personal information. This includes
financial services firms that are already subject to stringent
privacy and information security standards under the Federal
Gramm-Leach-Bliley Act. Rather than expressly exempting
federally-regulated institutions from the scope of the bill's
coverage, H.R. 4127 allows the FTC to determine whether and how
financial institutions should be covered by the law. The FTC
has little expertise in the area of financial data regulation,
and the Judiciary Committee believes that this expansion of the
FTC's jurisdiction is unwarranted, and potentially could result
in duplicative and burdensome Federal regulation.
Second, the bill permits State Attorneys General to enforce
the bill's data protection and consumer notice requirements if
the FTC fails to act. Again, because the bill sweeps in
virtually every entity that owns or possesses personal
information, the bill would allow State Attorneys General to
bring enforcement actions against financial institutions,
rather than leaving regulation and enforcement of these
entities to the Federal financial regulators. The Committee
believesthat State Attorneys General can and should play an
important role in enforcing violations of State and Federal law,
including in the area of data security. H.R. 4127 goes too far,
however, by expanding State Attorney General enforcement in an area
traditionally reserved to Federal financial regulators.
Finally, the bill's preemption provision undermines the
legislation's general effort to create a uniform set of Federal
requirements governing data security and consumer notice.
Although the bill attempts to create national standards, it
expressly protects State consumer protection laws and does not
preempt any State law relating to fraud. These broad exceptions
raise questions about whether entities regulated under H.R.
4127 will be subject to conflicting State and Federal laws and
regulations, undermining the goal of a nationwide standard for
the protection of personal data.
HEARINGS
No hearings were held in the Committee on the Judiciary on
H.R. 4127. On May 9, 2006, the House Judiciary Committee's
Subcommittee on Crime, Terrorism and Homeland Security held a
hearing on the policy issues raised by the increase in computer
crime and identity theft. The Subcommittee received testimony
from: Ms. Laura H. Parsky, Deputy Assistant Attorney General,
Criminal Division, United States Department of Justice; Mr.
Joseph LaRocca, Vice President, Loss Prevention, National
Retail Federation; Ms. Anne Wallace, Executive Director,
Identity Theft Assistance Corporation; and Ms. Susanna
Montezemolo, Policy Analyst, Consumers Union.
COMMITTEE CONSIDERATION
On Thursday, May 25, 2006, the Committee met in open
session and ordered favorably reported the bill, H.R. 4127, by
voice vote with an amendment, a quorum being present.
VOTE OF THE COMMITTEE
In compliance with clause 3(b) of Rule XIII of the Rules of
the House of Representatives, the Committee notes that there
were no recorded votes on H.R. 4127 during the Committee on the
Judiciary's consideration of the bill.
COMMITTEE OVERSIGHT FINDINGS
In compliance with clause 3(c)(1) of rule XIII of the Rules
of the House of Representatives, the Committee reports that the
findings and recommendations of the Committee, based on
oversight activities under clause 2(b)(1) of rule X of the
Rules of the House of Representatives, are incorporated in the
descriptive portions of this report.
NEW BUDGET AUTHORITY AND TAX EXPENDITURES
Clause 3(c)(2) of House Rule XIII is inapplicable because
this legislation does not provide new budgetary authority or
increased tax expenditures.
COMMITTEE COST ESTIMATE
In compliance with clause 3(d)(2) of rule XIII of the Rules
of the House of Representatives, the Committee sets forth, with
respect to H.R. 4127, the following estimate. This Committee
primarily adopts the Congressional Budget Office's prepared
cost estimate of H.R. 4127 as reported by the House Committee
and Energy Commerce, which is included in their report.\9\ An
amendment was adopted to the bill that would require Federal
departments and agencies to notify consumers of data breaches
in the same manner as the private sector. The following excerpt
draws Congressional Budget Office's prepared cost for S. 1789,
and is describing a substantively identical provision in that
legislation. The Committee believes the cost analysis for this
amendment would be virtually identical to the following
analysis.
---------------------------------------------------------------------------
\9\ See H.R. Rep. No. 109-453, Part I (2006).
---------------------------------------------------------------------------
The Federal Information Security Management Act of 2002
provides requirements for securing the federal government's
information systems, including the protection of personal
privacy. The National Institute of Standards and Technology
develops information security standards and guidelines for
other federal agencies, and the Office of Management and Budget
(OMB) oversees information technology security policies and
practices. OMB estimates that federal agencies spend around $5
billion a year to secure the government's information systems.
In the event of a security breach involving a significant
risk of identity theft, government agencies would be required
to notify an individual whose information may have been
compromised. Notification would be in the form of individual
notice (written notice to a home mailing address, via
telephone, or via e-mail) as well as through the mass media.
The cost of such notification would depend on the number of
security breaches that occur, the number of persons affected,
and the cost per person of notification. CBO cannot estimate
the number of security breaches that might occur within the
federal government in any year.
Nationwide, only the largest breaches are identified and
reported. Limited anecdotal information over the last two years
suggests that security breaches involving the federal
government have occurred regularly usually involving the theft
of computers containing personal information from specific
agencies. Such thefts have affected the personal information of
about 3 percent of the 4 million civilian and military federal
employees (about 120,000). Based on that data and information
from OMB and other agencies, CBOdoes not expect that there
would be significant notification costs under the bill in any one year.
Thus, CBO estimates that implementing the notification provision in S.
1789 would cost less than $500,000 annually.
Nonetheless, the federal government is also one of the
largest providers, collectors, consumers, and disseminators of
personnel information in the United States. The cost to notify
individuals of a security breach to personnel information may
cost up to $2 per notification. Although, CBO cannot anticipate
the number of security breaches, a significant breach of
security involving a major collector of personnel information,
such as the Internal Revenue Service or the Social Security
Administration could involve millions of individuals and would
have a significant budgetary impact.\10\
---------------------------------------------------------------------------
\10\ Congressional Budget Office Cost Estimate of S. 1789, the
``Personal Data Privacy and Security Act of 2005,'' as reported by the
Senate Judiciary Committee on November 17, 2005, available at http://
cbo.gov/ftpdocs/71xx/doc7161/s1789.pdf.
---------------------------------------------------------------------------
PERFORMANCE GOALS AND OBJECTIVES
The goal of H.R. 4127 is to protect consumers by requiring
reasonable security policies and procedures to protect
computerized data containing personal information, and to
provide for uniform nationwide notice in the event of a
security breach.
CONSTITUTIONAL AUTHORITY STATEMENT
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the Committee finds the authority for
this legislation in art. I, Sec. 8 of the Constitution.
SECTION-BY-SECTION ANALYSIS AND DISCUSSION
The following section-by-section analysis describes the
sections of H.R. 4127 as reported that fall within the Rule X
jurisdiction of the Committee on the Judiciary. For a
description of the other sections of the bill, please refer to
the report of the Committee on Energy and Commerce.\11\
---------------------------------------------------------------------------
\11\ Id.
---------------------------------------------------------------------------
Section 3. Notification of information security breach
Section 3 requires any entity engaged in interstate
commerce that owns or possesses personal information in
electronic form to notify individuals whose information was
acquired by an unauthorized person and the FTC, following the
discovery of a breach of security of the system containing such
information.
Section 3(b) requires special notification for entities
that do not own the data subject to a security breach.
Specifically, a third party agent contracted to maintain or
process data in electronic form on behalf of an entity who owns
or possesses such personal information is required to notify
the person or entity that owns or possesses the data who in
turn provides notice as required by section 3(a). The Committee
recognizes that many companies are contracted to provide data
services for companies that own or possess personal
information. Contracted entities in many an instance do not
have contact information for an individual whose information
was breached and would therefore be unable to provide notice.
Additionally, the Committee believes for a notice to be most
effective, it should come from the entity with whom the
individuals are most likely to identify or recognize by means
of a relationship.
Similarly, section 3(b)(2) recognizes that
telecommunications carriers, cable operators, information
service or interactive computer services provide transmission
utility for data in transit. As such, a breach of data in
transit that utilizes the means of transmission may not be
identifiable. Further, in such cases where a breach is
identifiable, the nature of the data and identity of the sender
of the data may not be readily identifiable by the provider of
the transmission utility. This subsection provides that such
third party entity will only be required to notify the entity
that initiated the transmission of the data of the breach,
provided such entity can be reasonably identified.
Section 3(b)(3) addresses security breaches that include
individually identifiable health information. Upon receiving
notice from the entity that suffered the breach, the FTC is
required to provide a copy of such notice to the Secretary of
Health and Human Services.
Section 3(c) requires notices be made as promptly as
possible but consistent with any measures undertaken to
determine the scope of the breach, prevent further breach, and
restore integrity of the system. Section 3(d) provides for the
method of the notification. Entities required to send notice
may do so by either written notification or by email. Notice by
email is only permitted in cases when it is the entity's
primary contact method with the individual or the individual
has consented to receive such notification by email and the
notification is consistent with applicable law.
Section 3(e) provides that an entity required to provide
notice for a breach of security shall provide, or make
arrangements for the provision of, quarterly consumer credit
reports for two years from one of the major credit reporting
agencies, and at no cost to the individual, upon request from
the individual.
Section 3(f) provides an exemption from the requirements of
section 3 under certain circumstances. Specifically, under
section 3(f)(1) an entity is not required to provide notice if
it determines there is no reasonable risk of identity theft,
fraud, or other unlawful conduct following a breach of
security. The Committee expects these determinations will be
fact specific and will take account of the types of information
breached, the party that acquired the information, and the
usability of the information by the party who acquired it.
Further, section 3(f)(2)(A) establishes a rebuttable
presumption that there is no reasonable risk of identity theft,
fraud, or other unlawful conduct if the data that is breached
is encrypted. The presumption may be rebutted by facts
demonstrating that the encryption has been or is likely to be
compromised. The Committee recognizes that, given sufficient
time, all encryption may be ``compromised'' asencryption
standards evolve and forms of encryption become outdated.
Although encryption is a widely used and accepted practice
of securing data, the Committee does not intend to deem
encryption as the only effective method or technology of
securing and protecting data. In fact, many industry experts
take the position that other methods and technologies used to
protect data are equally, and in some cases more, effective
than encryption. Section 3(f)(2)(B) provides that the FTC
shall, by rule and within nine months of the date of enactment
of the Act, identify any other methods or technologies that
render electronic data unreadable or indecipherable. The
Committee's intent in requiring the FTC to undertake this
rulemaking is that the Commission should not be limited in
determining any other effective data protection technologies or
methods, in addition to encryption, which would render data
unusable and therefore establish a presumption there is no
reasonable risk of identity theft, fraud, or other unlawful
activity.
Section 3(f)(3) requires the Commission to issue guidance
within one year of enactment of the Act regarding the
application of the exemption in section 3(f).
Section 3(g) provides the Commission with discretion to
place a notice of a breach of security it has received under
section 3(a)(2) on its website if the Commission determines
such posting is in the public interest and for the protection
of consumers.
Section 3(h) provides for an FTC study regarding the
practicality and cost effectiveness of requiring notification
to be provided in a language in addition to English.
Section 3(i) requires Federal agencies that own or possess
data in electronic form containing personal information to
provide written notice to each individual who is a citizen or
resident of the United States if their personal information is
acquired by an unauthorized person as a result of a security
breach. Agencies are exempt from making such disclosures if
they determine that the breach causes no reasonable risk of
identity theft, fraud, or other unlawful conduct. The Committee
intends this provision to address circumstances where the
Federal government maintains information in a similar manner as
the private sector, such as the recent breach of the personal
information of nearly 26.5 million veterans maintained by the
United States Department of Veterans Affairs, and does not
intend it to apply in circumstances where disclosure of the
breach or the information that is the subject of the breach
could compromise a criminal investigation or national security.
Section 4. Enforcement
Section 4(a)(1) provides that a violation of the Act shall
be enforced by the FTC as an unfair and deceptive act or
practice in violation of a regulation under section 18 the
Federal Trade Commission Act. The FTC has limited or no
jurisdiction over certain types of entities and activities.
These include banks, savings associations, and Federal credit
unions; regulated common carriers; air carriers; non-retail
sales of livestock and meat products; nonprofit entities; and
the business of insurance. See, e.g., 15 U.S.C. Sec.
Sec. Sec. 44, 45, 46 (FTC Act); 15 U.S.C. Sec. 21 (Clayton
Act); 7 U.S.C. Sec. 227 (Packers and Stockyards Act); 15 U.S.C.
Sec. 1011 et seq. (McCarran-Ferguson Act).
Section 4(a)(3) prohibits the FTC from requiring the
deployment of any specific products or technologies, including
any specific computer software or hardware, in promulgating
rules under this Act. The Committee recognizes the rapidly
evolving improvements in technologies and products to protect
personal information and believes the market is the most
effective mechanism in determining which specific products best
protect personal information.
Section 4(b) provides for enforcement by an attorney
general of a State or an official or agency of a State if the
attorney general, or an official or agency of a State has
reason to believe that an interest of the residents of that
State has been or is threatened or adversely affected by a
violation of section 2 or 3. The attorney general or official
or agency of a State may bring civil action to enjoin further
violations of section 2 or 3, compel compliance with section 2
or 3, or to obtain civil penalties for violations of section 2
or 3.
Section 4(b)(2)(A) sets forth the structure for civil
penalties. With respect to a violation of section 2, the civil
penalty is calculated by multiplying the number of violations
of the section by an amount not greater than $11,000, with each
day of noncompliance treated as a separate violation. Civil
penalties for violations of section 2 are capped at $5 million.
Beginning with the first Consumer Price Index published at
least one year after the date of enactment of this Act, and
continuing on an annual basis, section 4(b)(2)(B) requires the
amounts specified in section 4(b)(2)(A) to be increased by the
annual percentage increase in the Consumer Price Index.
Section 4(b)(3) provides specific obligations and
limitations on State actions. In particular, section 4(b)(3)(A)
requires a State to provide prior written notice to the FTC of
any action brought under this Act and to provide the Commission
with a copy of the complaint. The Commission has the right to
intervene in the action by the State, to be heard on all
matters relating to the action, and to file petitions for
appeal. Further, if the FTC has instituted a civil action for a
violation of this Act, State action is stayed during the
pendency of the Federal action.
Section 4(c) provides an affirmative defense to an
enforcement action brought under subsection (a) or a civil
action brought under subsection (b), if all of the personal
information contained in the data was acquired as a result of a
breach of security is public record information and was
acquired by the defendant from public records.
Section 6. Effect on other laws
Section 6(a) provides that the Act preempts statutes,
regulations, or rules of a State, or a subdivision of a State,
with respect to the entities covered by the regulations issued
pursuant to the Act, that require information security
practices and treatment of data in electronic form containing
personal information similar to any of those required under
section 2 and notification for a breach of security resulting
in an unauthorized acquisition of data in electronic form
containing personal information.
Section 6(b) prohibits any person other than the attorney
general of a State to bring a civil action under the law of any
State if such action is premised in whole or in part upon the
defendant violating any provision of this Act, but makes clear
that this prohibition shall not be construed to limit the
enforcement of any State consumer protection law by an Attorney
General of a State. Section 6(c) specifically preserves State
trespass, contract, and tort law, and other State laws to the
extent those acts relate to acts of general consumer fraud.
Section 6(d) preserves the FTC's authority under any other
provision of law, including the authority to issue advisory
opinions, policy statements, or guidance regarding the Act.
In addition, the Act is not intended to weaken the privacy
protections for health information established pursuant to the
Health Insurance Portability and Accountability Act of 1996
(HIPAA) and its regulations. This includes maintaining HIPAA's
provisions regarding State privacy laws related to identifiable
health information that are not contrary to or that are more
stringent than the requirements, standards, or implementation
specifications imposed under the HIPAA regulation.
�