WASHINGTON — Ten months, three hearings and two bill drafts after widespread data breaches began to make headlines, House Republicans finally placed their legislative cards on the table Thursday. Democrats say they shouldn’t have bothered.
The Data Accountability and Trust Act (DATA), approved by a subcommittee after a contentious five-hour hearing, would require data brokers to disclose to consumers any unencrypted breaches of their personal data. The bill would also pre-empt all state data breach laws.
“Data security has not been given the priority it should be, and the bill before us will change that,” House Energy and Commerce Chairman Joe Barton (R-Tex.) said. “It requires tough security measures and appropriate notice when consumers are put at risk through no fault of their own.”
Well, maybe, said the subcommittee’s Democrats.
The bill defines a data breach as the unauthorized acquisition of personal information that establishes a “reasonable basis” to conclude that there is a “significant risk” of identity theft.
For purposes of disclosure, the bill defines identity theft as “assuming another person’s identity for the purpose of engaging in commercial transactions.”
In the wake of breaches at companies such as ChoicePoint and LexisNexus and lost data tapes by the likes of Bank of America, CitiFinancial and Ameritrade, nearly 51 million notices have gone out to consumers, thanks to a California state law requiring disclosure of data breaches. The California law requires disclosure whenever there is an “unauthorized acquisition of [data] that compromises the security, confidentiality or integrity of personal information.”
Said Illinois Democrat Janice Schakowsky, “No notices would have gone out under the standard put forth in this bill. ‘Significant risk’ is almost impossible to prove.”
Rep. John Dingell (D-Mich.) said the nationwide notice provisions proposed by the Republicans are actually “no notice” provisions.
“I also cannot support pre-emption of stronger state laws,” Dingell, the ranking Democrat on the Energy and Commerce Committee, said. “Why bother to pass a bill at all, if this is what we propose to do to the American public?”
Democrats also objected to a last-minute change in the bill’s language that eliminates a provision allowing consumers to review the personal information maintained on them by data brokers.
“I find this change most curious indeed,” Dingell said.
Rep. Cliff Stearns (R-Fla.), chairman of the subcommittee, said the DATA Act is the “initial step” to offer relief to consumers and businesses.
“I want to re-emphasize to my Republican and Democratic colleagues that [the DATA Act] is the beginning of a long process,” Stearns said. “Unfortunately, we have not reached consensus with [Democrats] on all issues. I am optimistic we will get there.”
If Thursday’s hearing is any example, it might be a very long process, indeed, to reach accord with the Democrats.
Along purely party lines, Republicans on the subcommittee rejected amendments by the Democrats to replace the bill’s disclosure trigger language with the California standard, to restore consumers’ rights to review information held by data brokers, and to remove the national pre-emption of state laws.
But while Democrats have problems with the bill, Jon Oltsik, senior analyst for information security at the Enterprise Strategy Group, said the legislation is “another driver” pushing adoption of data encryption and other storage security measures. “Between compliance, visible breaches and improving security, there is plenty of motivation to move forward,” Oltsik told Enterprise Storage Forum.
Article courtesy of Internet News