Privacy and Security Law Blog

Posted by Teena Lee

On March 23, 2006, the House Energy and Commerce Committee announced that it reached a bipartisan agreement on the Data Accountability and Trust Act (DATA), H.R. 4127. The amendments appear to address a couple of the concerns raised by various consumer advocacy groups to the original bill.

As reported here previously, objectors complained the Act left the target of a security breach too much discretion to determine whether notification should be made and failed to allow parties other than the FTC enforcement powers. The “manager’s amendment” appears to try to address those concerns and changes the threshold for consumer notification from a “significant risk of identity theft” to a “reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct” and provides enforcement powers to state attorneys general, in addition to the FTC.

Some other changes include:

• Exempting breaches of data that is otherwise protected by encryption from notification requirements;

• Requiring data brokers to regularly monitor security systems for breaches;

• Requiring data brokers to establish reasonable procedures to verify the accuracy of information collected and maintained;

• Allowing consumers annual access to records on them maintained by data brokers to have inaccurate information corrected or labeled as “disputed”;

• Requiring the FTC to notify the Secretary of Health and Human Services if it determines that a data breach includes individually identifiable health information;

• Requiring a telecommunications carrier, cable operator or other information transmitter that becomes aware of a security breach to report it;

• Adding civil penalties of a maximum of $11,000 per violation, with a calculated total maximum of $5 million.

Yesterday, on March 29, 2006, the House Energy and Commerce Committee unanimously approved by a vote of 41-0 the amended Act – are these changes enough to satisfy the objectors?