While Congress Mulls Over the DATA Act, Customers’ Personal Information Remain at Risk
Posted by Teena Lee
On October 25, 2005, Representative Cliff Stearns (R-Fla.), introduced Bill H.R. 4127 in the House of Representatives, the Data Accountability and Trust Act (DATA). Purportedly in response to the ChoicePoint and LexisNexis breaches and failures of security, the Act, in brief, charges the FTC to promulgate regulations requiring persons engaged in interstate commerce that own or possess data containing personal information in electronic form to establish and implement information security policies and procedures concerning the treatment and protection of personal information. Notably, the bill would preempt state information security laws. On November 3, 2005, the DATA Act was approved on a vote of 13-8 by the Energy and Commerce Committee’s Subcomittee on Commerce, Trade and Consumer Protection, and has been forwarded to the full Energy and Commerce Committee, where it presently sits.
Since its introduction, the Act has generated much criticism; consumer advocacy groups have complained that the Act as drafted is too weak and leaves too much discretion with the target of a breach (who may have a disincentive to report a breach) to determine whether notification of a breach should occur. Objecting parties also have complained that the Act improvidently invalidates stronger state laws, strips other means of enforcement (i.e., by State Attorneys General and private citizens), and further burdens an already overwhelmed FTC.
While Congress mulls over DATA, spammers and other criminals continue to take advantage of weak security systems. The latest breach of overwhelming magnitude is of the online payment service iBill, a credit card processor for adult entertainment websites. Seventeen million customers of iBill have had data including their names, phone numbers, email addresses and internet IP addresses -- and possibly their logins and passwords and credit card types and purchase amounts -- stolen and released on the internet for sale, and some of that data has already made its way into the hands of criminal hackers. But because the data stolen did not include Social Security, credit card or driver’s license numbers, iBill was not required to, and has not, notified any of those 17 million customers.
What will be interesting to see over the next few months is whether the House will heed the warnings of the objectors to the present draft of the Act.