Committee to Approve Bipartisan ID Theft Bill

New Language Released; Markup Set Wed., March 29

WASHINGTON - House Energy and Commerce Committee leaders have reached bipartisan agreement on sweeping legislation to tackle the fastest growing criminal enterprise in the United States - identity theft - and plan to formally approve the bill at a Wednesday, March 29 markup.

Today the committee released the text of a "manager's amendment," making a number of changes to the Data Accountability and Trust Act (DATA) that the Subcommittee on Commerce, Trade and Consumer Protection approved in November (H.R. 4127).

"Identity theft is not much different than burglary, and often it looks like the crooks are walking into places where the doors and windows have been left open," said U.S. Rep. Joe Barton, R-Texas, chairman of the Energy and Commerce Committee. "Worse yet, months can pass before the identity theft victim even hears about it, and then the damage may take years to repair.

"Under current law, anyone has a near-perfect right to package your personal information and do almost anything they want with it," Barton added. "They can change it, share it, rent it or sell it. The constraints are so flimsy they're laughable. Our goal in developing this legislation is to encourage a culture of strong data security."

"Identity theft ruins lives, and this bill with the manager's amendment strikes a blow for consumers," said U.S. Rep. John D. Dingell, D-Mich., ranking member of the committee. "It focuses on strong security systems, notice to consumers of breaches, and tough enforcement. I look forward to working with Chairman Barton to move this bill through Congress this year."

The Federal Trade Commission (FTC) says that during a one-year period, nearly 10 million people had discovered that they were victims of identity theft. Estimated losses translated into $48 billion for businesses and $5 billion to consumers.

U.S. Rep. Cliff Stearns, R-Fla., chairman of the Commerce, Trade, and Consumer Protection Subcommittee, is the lead sponsor of H.R. 4127 and co-sponsors include House Republican Conference Chairman Deborah Pryce, R-Ohio.

The manager's amendment would:

  • Narrow the definition of data brokers to include only those entities that sell noncustomer data to nonaffiliated third parties, ensuring mailing lists and others aren't inadvertently affected by the law. The FTC would also be granted the authority to deem in compliance with H.R. 4127 those companies already meeting the Fair Credit Reporting Act, Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act (HIPPA) requirements.
  • Require data brokers to establish reasonable procedures to verify the accuracy of information that they collect and maintain.
  • Change the threshold for consumer notification from "significant risk of identity theft" to "reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct."
  • Require data brokers to regularly monitor security systems for breaches.
  • Prohibit data brokers from obtaining information on someone by impersonating that person - also known as "pretexting."
  • Allow consumers annual access to records maintained on them by data brokers as well as the right to have inaccurate information corrected or labeled as disputed.
  • Require the FTC to notify the Secretary of Health and Human Services if it determines that a data breach includes individually identifiable health information.
  • Afford the FTC the flexibility to recognize future methods or technology to safeguard data, not just today's existing encryption capabilities. Exempts from notification requirements data protected by encryption or other approved methods or technology.
  • Allow the FTC one year to promulgate rules required by H.R. 4127.
  • Require the FTC to study the maintenance of obsolete paper records containing personal information; the language also authorizes the agency to adopt rules to address any shortcomings in existing law.
  • Provide for enforcement of H.R. 4127 by both the FTC and state attorneys general.
  • Require a telecommunications carrier, cable operator or other information transmitter that becomes aware of a security breach to report it.

The underlying DATA Act would:

  • Direct the FTC to create rules setting rigorous national standards for data brokers to protect personal information.
  • Require data brokers to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold.
  • Require entities to appoint and identify a person in the organization that is responsible for information security.
  • Require any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified.
  • Provide for an FTC or independent audit of an information broker's security practices following a breach of security. Permit the FTC to conduct or require audits for a period of five years after the breach, or until the commission determines security practices are in compliance with the act and are adequate to prevent further breaches.

####