Late last week the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection approved the Data Accountability and Trust Act (clever acronym alert - DATA). Amongst the elements in the bill, which is now headed towards a vote in the full committee, are:

* Direct the FTC to create rules requiring security for personal information. The FTC would have to take into account the size, nature, and scope of the person's activities, the current state of technology, and the cost of implementing security procedures.

* Require entities to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold.

* Require entities to appoint and identify a person in the organization that is responsible for information security.

* Require any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified.

* Define "breach of security" as the unauthorized acquisition of personal information where it is reasonable to conclude there is significant risk of identity theft.

* Provide for an FTC or independent audit of an information broker's security practices following a breach of security. It permits the FTC to conduct or require audits for a period of five years after the breach, or until the commission determines security practices are in compliance with the act and are adequate to prevent further breaches.

* Prohibit costly and disruptive lawsuits by preempting state breach notification laws with private rights of action. It expressly preserves state consumer protection laws, as well as state trespass, contract, tort, and other state laws relating to fraud.

With the successful move out of the subcommittee has come another round of folks on both sides of the issue decrying the bill as going too far and alternatively, not going far enough. Meanwhile, Bob Sullivan at MSNBC's Red Tape Chronicles reminds us that 1 in 10 Americans received notification this year that their personal data could have been accessed illegally. And the Privacy Rights Clearinghouse cites eighty publicized data breaches since February. Heck just this morning. And, if you are a serious glutton for punishment, this story also received the Slashdot treatment over the weekend.

Of primary concern to your friendly neighborhood investigators at Caveat Research is the potential for the passage of this bill to impair ready access to the essential data we use in the course of serving our clients. The worry we face as an industry and as an individual company is that Congress, by seeking greater regulation of data aggregators, will impair the fundamental utility of the aggregators' legitimate services.

No one in our industry would seriously argue that the availability personal data should be and unregulated free-for-all. But rather, sensitive data should be restricted to those with proper licensing as well as an accountable and legitimate reason for requesting it. The National Council of Investigation & Security Services, the investigative community's congressional advocate describes the issue in this way:

...Social Security numbers should not be made accessible to everyone. We also believe that such personal data should only be made available for those with a legitimate need for it. We are asking members of the Energy and Commerce Committee to provide an exception from the limitation on the use of Social Security numbers for specific purposes as follows:

“to identify or locate missing or abducted persons, witnesses, criminals and fugitives, persons that are or may become parties to litigation, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries, missing heirs and persons material to due diligence inquiries.”

Our role is risk mitigation in a business transaction. Without access to personal identifiers, such as social security numbers, we would face the nearly impossible task of separating one John Smith from the next and our essential role in facilitating business transparency would be undercut. Moreover the suggesed restrictions would in no way actively combat security lapses that brought aggregators into the public cross-hairs in the first place.

You can download the current version of the DATA bill here (PDF). The Senate is also considering a similar measure, the Personal Data Privacy and Security Act (notably, without a clever acronym) which you can review here (PDF).

-- MDT

Labels: data breech, identity theft