Loading ...
Sorry, an error occurred while loading the content.

ISPLA News: House Commerce Committee Hearing Held - Data Acc ountability and Trust Act introduced

Expand Messages
  • Peter Psarouthakis
    House Commerce Committee Hearing Held - Data Accountability and Trust Act introduced On May 4, 2011, members of the Subcommittee on Commerce, Manufacturing,
    Message 1 of 1 , May 6, 2011
      House Commerce Committee Hearing Held - Data Accountability and Trust Act

      On May 4, 2011, members of the Subcommittee on Commerce, Manufacturing, and
      Trade of the House Energy and Commerce Committee held a hearing on "The
      Threat of Data theft to American Consumers" and heard two panels of
      witnesses. The committee, chaired by Rep. Mary Bono Mack [R-CA-45] heard
      testimony from the following:

      David Vladeck, FTC Director, Bureau of Consumer Protection

      Pablo Martinez, U.S. Secret Service, Deputy Special Agent in Charge,
      Criminal Investigative Division

      Justin Brookman, Director, Consumer Privacy Project, Center for Democracy
      and Technology

      Dr. Gene Spofford, Executive Director, Purdue University

      A released May 2 Internal Memorandum from the Republican Committee Staff to
      the committee's members provides valuable background information on where
      this committee intends to focus regarding bills being considered to address
      data beaches. ISPLA recently commented on HR 1707, the "Data Accountability
      and Trust Act" introduced the day of the hearing by Rep. Bobby L. Rush
      [D-IL-1]. Representative Mary Bono Mack has indicated she will also
      introduce her own bill. The information below comes from documents released
      by the Subcommittee on Commerce, Manufacturing, and Trade, which in part
      covers the following:

      Since the issue of data breaches became a common household term in 2005 when
      hackers gained access to 160,000 consumer records in the ChoicePoint data
      breach, American consumers have been inundated with reports of such data
      breaches on a regular basis. According to the Privacy Rights Clearinghouse,
      over 2,500 data breaches implicating nearly 600 million records have been
      made public since that time. In April 2011 alone, the Clearinghouse
      reported over 30 data breaches occurring at hospitals and medical provider
      offices; universities; insurance companies; airlines; technology companies;
      banks; and at the municipal, State, and Federal government levels. These
      breaches occurred via phishing, theft of computer or other devices, and
      hacking, impacting a minimum of 99 million records (a number of these
      breaches impacted an "unknown" number of records).

      These records involve various pieces of information that can be used alone
      or in conjunction with other pieces of information to wreak havoc on a
      consumer's financial well-being by using existing lines of credit or
      establishing new lines of credit, to gain unlawful access to bank accounts,
      to acquire jobs or government benefits for which they are otherwise not
      eligible, seek medical care, or use another's identification in a law
      enforcement situation. Data breaches often involve unauthorized access to a
      person's name, birth date, Social Security number, driver's license number,
      credit account numbers, financial account numbers, usernames and passwords,
      or PIN numbers.

      Whether the breach occurs inadvertently through the accidental release of
      information, in the offline world by loss of a laptop or stolen records, or
      online via hacking, the results can be disastrous for consumers. The FTC
      estimates nearly 9 million Americans fall victim to identity theft annually,
      costing both consumers and businesses tens of billions of dollars each year.
      While the Identity Theft Resource Center reports that both the cost to
      consumers has fallen as has the number of hours lost in resolving identity
      thefts, consumers still lose hundreds of dollars out of pocket and spend
      dozens of hours on cleanup efforts.

      In recent years, sophisticated and carefully orchestrated cyber attacks -
      designed to obtain personal information about consumers, especially when it
      comes to their credit cards - have become one of the fastest growing
      criminal enterprises here in the United States and across the world. The
      boldness of these attacks and the threat they present to unsuspecting
      Americans was underscored recently by massive data breaches at Epsilon and
      Sony. ISPLA reported previously on the ramifications of the Epsilon breach.

      With 77 million accounts stolen - including some 10 million credit card
      numbers - the recent data breach involving Sony's PlayStation Network has
      the potential to become the "Great Brink's Robbery" of cyber attacks. And
      the "take" keeps going up.

      While the FBI and Secret Service, along with other law enforcement agencies,
      work around the clock to try and crack this sensational case, we now learn
      that a second Sony online service was also compromised during the same time
      period. Computer hackers obtained access to personal information relating
      to an additional 25 million customer accounts. That's more than 100 million
      accounts now in jeopardy.

      Like their customers, both Sony and Epsilon also hacked, are victims, too.
      However, they also must shoulder some of the blame for these stunning
      thefts, which shake the confidence of everyone who types in a credit card
      number and hits "enter." "E-commerce is a vital and growing part of our
      economy" the chairwoman stated. "We should take steps to embrace and
      protect it - and that starts with robust cyber security."

      As Chairman of this Subcommittee, Rep. Bono Mack also stated she was deeply
      troubled by these latest data breaches, and the decision by both Epsilon and
      Sony not to testify before her hearing she found to be unacceptable.

      While more than 40 States have individual data breach notification
      requirements, with the exception of notification requirements for breached
      health information, there is no Federal data breach notification law. As a
      result of the confusing and often overlapping or contrary patchwork of State
      notification laws, Rep. Cliff Stearns [R-FL-6] (the then-Chairman of the
      Subcommittee on Commerce, Trade, and Consumer Protection) introduced H.R.
      4127, the "Data Accountability and Trust Act (DATA)" in the 109th Congress.
      The bill established (1) security requirements for entities holding personal
      information to protect against unauthorized access; (2) notification
      procedures to affected consumers upon a breach; and (3) special requirements
      for information brokers. It charged the FTC with enforcement. The
      Committee reported H.R. 4127 on a bipartisan basis but the bill did not
      proceed to the full House for a vote as a result of disagreements with other
      committees regarding jurisdiction that could not be resolved before the
      Congressional calendar expired.

      In the 110th Congress, then-Chairman Bobby Rush [D-IL-1] re-introduced H.R.
      4127 as H.R. 958 but the legislation received no Committee action. In the
      111th Congress, Rep. Rush again reintroduced DATA as H.R. 2221, as amended
      from earlier versions (see Section-by-Section Analysis below). H.R. 2221
      processed through the Committee on a bipartisan basis and passed the House
      by voice vote on December 8, 2009. As amended, H.R. 2221:

      Required entities that hold personal information to establish and maintain
      appropriate security policies to prevent unauthorized acquisition of that

      Required companies to notify consumers in the event of a breach of
      personally identifiable information that results in a reasonable risk of
      identity theft or fraud.

      Imposed special requirements on information brokers, those that compile and
      sell consumer data to third parties, including assuring accuracy of their
      information, allowing consumer access to their records and the ability to
      correct inaccurate information.

      Superseded State data breach and notification laws but permitted enforcement
      by State Attorneys General with an aggregate cap on damages.

      Preempted similar State laws to create a uniform national standard for data
      security and breach notification.

      Mandated reasonable security practices for paper records containing
      personally identifiable information.

      Permitted an information broker to include intentionally false information
      in a database if used for fraud detection purposes and the information is
      identified as inaccurate.

      Allowed for a delay in breach notification for law enforcement or national
      security purposes.

      Added passport numbers and military ID numbers to the definition of personal

      Chairman Mary Bono Mack intends to introduce a data security bill based on
      H.R. 2221 after receiving comments through Subcommittee oversight and a
      relevant stakeholder process. ISPLA's constituents will be represented
      regarding concerns with defining investigators as information brokers and
      restrictions placed on the recognized investigative tool of pretexting.

      Bruce Hulme

      ISPLA Director of Government Affairs

      To join us and support our proactive efforts in Washington please visit

      <http://www.ispla.org/> www.ISPLA.org

      We do much more than just keeping the profession informed!

      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.