- Image via Wikipedia
The House of Representatives passed the Data Accountability and Trust Act (HR 2221) today:
“A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach”
This bill essentially creates a nationwide breach notification law that requires companies who hold personal information notify people about the breach. In addition to breach notification, the bill also requires companies who store electronic personal information to establish proper security policies and establish a security policy coordinator. Personal information is defined as:
“an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number or other State identification number.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”
The fines are steep and could be as high as $11,000 per violation up to $5,000,000.
Notification may happen via postal mail or e-mail (if e-mail is the primary communication method and if consent to communicate via e-mail was previously given).
The Bill provides an exemption from breach notification if encryption is used. However, it also mandates that the Federal Trade Commission explore other technologies and report back to Congress 270 days after enactment. With terminology like “renders data in electronic form unreadable or indecipherable” it’s unlikely that anything other than encryption would qualify :
“(A) ENCRYPTION- The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.
(B) ADDITIONAL METHODOLOGIES OR TECHNOLOGIES- Not later than 270 days after the date of the enactment of this Act, the Commission shall, by rule pursuant to section 553 of title 5, United States Code, identify any additional security methodology or technology, other than encryption, which renders data in electronic form unreadable or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology has been or is reasonably likely to be compromised. In promulgating such a rule, the Commission shall consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies.”
Related articles by Zemanta
- Learn These Helpful Ways to Reduce Your Risk of Identity Theft (lanechase.net)
- Health Net healthcare data breach affects1.5 million (deurainfosec.com)
- Identity Theft – Do You Know What it Means to Your Financial Security? (lanechase.net)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=cd3a1dda-e3d4-45d3-8e21-9ed369781203)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=edf1062b-fc9f-4ed9-9b7f-d82f9a2a66ba)
