House Commerce Committee Hearing Held - Data Accountability and Trust Act
On May 4, 2011, members of the Subcommittee on Commerce, Manufacturing, and
Trade of the House Energy and Commerce Committee held a hearing on "The
Threat of Data theft to American Consumers" and heard two panels of
witnesses. The committee, chaired by Rep. Mary Bono Mack [R-CA-45] heard
testimony from the following:
David Vladeck, FTC Director, Bureau of Consumer Protection
Pablo Martinez, U.S. Secret Service, Deputy Special Agent in Charge,
Criminal Investigative Division
Justin Brookman, Director, Consumer Privacy Project, Center for Democracy
Dr. Gene Spofford, Executive Director, Purdue University
A released May 2 Internal Memorandum from the Republican Committee Staff to
the committee's members provides valuable background information on where
this committee intends to focus regarding bills being considered to address
data beaches. ISPLA recently commented on HR 1707, the "Data Accountability
and Trust Act" introduced the day of the hearing by Rep. Bobby L. Rush
[D-IL-1]. Representative Mary Bono Mack has indicated she will also
introduce her own bill. The information below comes from documents released
by the Subcommittee on Commerce, Manufacturing, and Trade, which in part
covers the following:
Since the issue of data breaches became a common household term in 2005 when
hackers gained access to 160,000 consumer records in the ChoicePoint data
breach, American consumers have been inundated with reports of such data
breaches on a regular basis. According to the Privacy Rights Clearinghouse,
over 2,500 data breaches implicating nearly 600 million records have been
made public since that time. In April 2011 alone, the Clearinghouse
reported over 30 data breaches occurring at hospitals and medical provider
offices; universities; insurance companies; airlines; technology companies;
banks; and at the municipal, State, and Federal government levels. These
breaches occurred via phishing, theft of computer or other devices, and
hacking, impacting a minimum of 99 million records (a number of these
breaches impacted an "unknown" number of records).
These records involve various pieces of information that can be used alone
or in conjunction with other pieces of information to wreak havoc on a
consumer's financial well-being by using existing lines of credit or
establishing new lines of credit, to gain unlawful access to bank accounts,
to acquire jobs or government benefits for which they are otherwise not
eligible, seek medical care, or use another's identification in a law
enforcement situation. Data breaches often involve unauthorized access to a
person's name, birth date, Social Security number, driver's license number,
credit account numbers, financial account numbers, usernames and passwords,
or PIN numbers.
Whether the breach occurs inadvertently through the accidental release of
information, in the offline world by loss of a laptop or stolen records, or
online via hacking, the results can be disastrous for consumers. The FTC
estimates nearly 9 million Americans fall victim to identity theft annually,
costing both consumers and businesses tens of billions of dollars each year.
While the Identity Theft Resource Center reports that both the cost to
consumers has fallen as has the number of hours lost in resolving identity
thefts, consumers still lose hundreds of dollars out of pocket and spend
dozens of hours on cleanup efforts.
In recent years, sophisticated and carefully orchestrated cyber attacks -
designed to obtain personal information about consumers, especially when it
comes to their credit cards - have become one of the fastest growing
criminal enterprises here in the United States and across the world. The
boldness of these attacks and the threat they present to unsuspecting
Americans was underscored recently by massive data breaches at Epsilon and
Sony. ISPLA reported previously on the ramifications of the Epsilon breach.
With 77 million accounts stolen - including some 10 million credit card
numbers - the recent data breach involving Sony's PlayStation Network has
the potential to become the "Great Brink's Robbery" of cyber attacks. And
the "take" keeps going up.
While the FBI and Secret Service, along with other law enforcement agencies,
work around the clock to try and crack this sensational case, we now learn
that a second Sony online service was also compromised during the same time
period. Computer hackers obtained access to personal information relating
to an additional 25 million customer accounts. That's more than 100 million
accounts now in jeopardy.
Like their customers, both Sony and Epsilon also hacked, are victims, too.
However, they also must shoulder some of the blame for these stunning
thefts, which shake the confidence of everyone who types in a credit card
number and hits "enter." "E-commerce is a vital and growing part of our
economy" the chairwoman stated. "We should take steps to embrace and
protect it - and that starts with robust cyber security."
As Chairman of this Subcommittee, Rep. Bono Mack also stated she was deeply
troubled by these latest data breaches, and the decision by both Epsilon and
Sony not to testify before her hearing she found to be unacceptable.
While more than 40 States have individual data breach notification
requirements, with the exception of notification requirements for breached
health information, there is no Federal data breach notification law. As a
result of the confusing and often overlapping or contrary patchwork of State
notification laws, Rep. Cliff Stearns [R-FL-6] (the then-Chairman of the
Subcommittee on Commerce, Trade, and Consumer Protection) introduced H.R.
4127, the "Data Accountability and Trust Act (DATA)" in the 109th Congress.
The bill established (1) security requirements for entities holding personal
information to protect against unauthorized access; (2) notification
procedures to affected consumers upon a breach; and (3) special requirements
for information brokers. It charged the FTC with enforcement. The
Committee reported H.R. 4127 on a bipartisan basis but the bill did not
proceed to the full House for a vote as a result of disagreements with other
committees regarding jurisdiction that could not be resolved before the
Congressional calendar expired.
In the 110th Congress, then-Chairman Bobby Rush [D-IL-1] re-introduced H.R.
4127 as H.R. 958 but the legislation received no Committee action. In the
111th Congress, Rep. Rush again reintroduced DATA as H.R. 2221, as amended
from earlier versions (see Section-by-Section Analysis below). H.R. 2221
processed through the Committee on a bipartisan basis and passed the House
by voice vote on December 8, 2009. As amended, H.R. 2221:
Required entities that hold personal information to establish and maintain
appropriate security policies to prevent unauthorized acquisition of that
Required companies to notify consumers in the event of a breach of
personally identifiable information that results in a reasonable risk of
identity theft or fraud.
Imposed special requirements on information brokers, those that compile and
sell consumer data to third parties, including assuring accuracy of their
information, allowing consumer access to their records and the ability to
correct inaccurate information.
Superseded State data breach and notification laws but permitted enforcement
by State Attorneys General with an aggregate cap on damages.
Preempted similar State laws to create a uniform national standard for data
security and breach notification.
Mandated reasonable security practices for paper records containing
personally identifiable information.
Permitted an information broker to include intentionally false information
in a database if used for fraud detection purposes and the information is
identified as inaccurate.
Allowed for a delay in breach notification for law enforcement or national
Added passport numbers and military ID numbers to the definition of personal
Chairman Mary Bono Mack intends to introduce a data security bill based on
H.R. 2221 after receiving comments through Subcommittee oversight and a
relevant stakeholder process. ISPLA's constituents will be represented
regarding concerns with defining investigators as information brokers and
restrictions placed on the recognized investigative tool of pretexting.
ISPLA Director of Government Affairs
To join us and support our proactive efforts in Washington please visit
We do much more than just keeping the profession informed!
[Non-text portions of this message have been removed]