HR 2221 – the DATA Act
The House of Representatives passed HR 2221, the Data Accountability and Trust Act, last month, a bill that tries to set up a nation-wide, common way to handle data breaches. I really don't like the way the US government feels the need to make almost-clever names for laws that also create related acronyms (CAN-SPAM, DATA, etc.), but that doesn't make the content of HR 2221 any less interesting.
Here's how the House summarizes this bill:
Data Accountability and Trust Act – Requires the Federal Trade Commission ( FTC) to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.
Authorizes the FTC to require a standard method or methods for destroying obsolete nonelectronic data.
Requires information brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request.
Requires the FTC to conduct or require an audit of security practices when information brokers are required to provide notification of such a breach.
Authorizes additional audits after a breach.
Requires information brokers to:
(1) establish procedures to verify the accuracy of information that identifies individuals;
(2) provide to individuals whose personal information it maintains a means to review it;
(3) place notice on the Internet instructing individuals how to request access to such information; and
(4) correct inaccurate information. Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information. Prohibits information brokers from obtaining or disclosing personal information by false pretenses (pretexting). Prescribes procedures for notification to the FTC and affected individuals of information security breaches.
Sets forth special notification requirements for breaches:
(1) by contractors who maintain or process electronic data containing personal information;
(2) involving telecommunications and computer services; and
(3) of health information.
Preempts state information security laws.
You can find the full text of the bill here.
There's a similar bill making its way through the Senate – S 1490, the Personal Data Privacy Act of 2009. Previous efforts in the Senate (S 495, S 1332 and S 1789) didn't go anywhere. It will be interesting to see how the House's attempt at addressing the problem of data breaches is received by the Senate.