Witnesses Call for Data Security Legislation

Bill Introduction, Markup Planned for September

WASHINGTON - Draft legislation on identity theft and data theft would improve the security of personal data, witnesses told the Subcommittee on Commerce, Trade and Consumer Protection during a hearing on the bipartisan proposal Thursday.

"The threat you attempt to address today is very real and your efforts are timely and critically needed," one witness said.

As news of consumer data breaches becomes more common, the need for legislation becomes more crucial to protect consumers and to reinforce confidence in the Internet, they said.

The bill is scheduled to be introduced in September and a markup is expected soon thereafter.

The committee recently released a staff draft of legislation that requires the collectors of sensitive information to establish and maintain security policies and to notify consumers in the event of a data breach. The bill's primary elements include:

• A requirement for the Federal Trade Commission to develop rules for data security and requiring that companies and organizations holding sensitive personal date develop security policies and have a staff member dedicated to enforcing the policy.
• Defining "information brokers" as companies whose primary business is to compile and sell data to third parties. The bill requires information brokers to annually submit their security policy to the FTC for audit. Information brokers must also disclose what personal data they hold to consumers who ask for that information.
• The establishment of a national, uniform standard for consumer notification when a security breach occurs that could result in identity theft. Consumers will be notified both electronically and through the mail.

"In crafting robust and effective legislation, the point we need to make is that security sells. Consumers must be confident that their information is secure," said Rep. Cliff Stearns, R-Fla., chairman of the subcommittee. Several Democrats also expressed concern. "Don't collect it if you can't protect it," said Rep. Charles Gonzalez, D-Texas.

Witnesses provided several details about data breaches and supported the need for legislation. Daniel Burton, vice president of Entrust, Inc., a cybersecurity provider, pointed out that the identities of more than 44 million people have been compromised since May 2005. Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, said it is difficult to determine how many of those whose identity was compromised would become victims of identity theft, since ID theft can occur years after the initial breach. Hoofnagle also said that data breaches could lead to other problems for consumers, such as stalking, extortion and spam. Several witnesses suggest additional provisions for the bill that they said would improve data security.

####