House panel approves data protection bill
Message to businesses: 'If you can't protect it, don't
collect it'
News Story by Grant Gross
MARCH 29, 2006
The House Energy and Commerce Committee's 41-0 approval of the Data
Accountability and Trust Act comes a year after the beginning of a rash of data
breaches at dozens of U.S. companies, starting with data brokers ChoicePoint
Inc. and LexisNexis Group. The bill, which now goes to the full House for a
vote, would require any company that "experiences reasonable risk of
identity theft" to notify potential victims as well as the Federal Trade
Commission (FTC).
"This is legislation that consumers deserve if we are to help them and our
economy defeat the growing menace of identity theft," Rep. Cliff Stearns
(R-Fla.), a primary sponsor of the bill, said in a statement.
Companies that encrypt data would be exempt from data breach notification
rules under the bill, as some tech trade groups have requested. Backers of an
encryption exemption say it would encourage more companies to use encryption.
Since the outbreak of breaches in early 2005, more than 20 states have
passed notification laws. Data brokers such as ChoicePoint have called for a
national law to standardize notification.
The House bill would require data brokers to develop security policies that
explain the "collection, use, sale, other dissemination and security"
of the data they hold. It would also direct the FTC to create standards for the
handling of personal data, and it would allow the FTC to audit a data broker's
security practices following a breach of security.
The bill would also allow consumers to annually access the records data
brokers hold about them and give them the right to demand inaccurate
information be corrected or labeled as disputed.
The bill "sends a clear message: 'If you can't protect it, don't
collect it,'" said Rep. John Dingell from Michigan, the committee's
ranking Democrat.