One of the major issues facing companies today is not simply
compliance, but compliance with a multitude of regulations and
standards that have been passed on the state and federal level.
Eighteen states, for example, have passed widely varying versions of
the California Security Breach Notification Act. The rapid
proliferation of state-level legislation has led some, this author
included, to speculate on the possibility of the U.S. Congress creating
and passing an omnibus data security law. With a well-publicized
breach and the subsequent congressional hearings this summer, the
speculation regarding such a law reached fever pitch. On October 25,
2005 the House of Representatives finally put an end to the speculation
with the introduction of the Data Accountability and Trust Act (DATA).
On November 3, 2005 the House Subcommittee on Commerce, Trade and
Consumer Protection forwarded the bill to the full Committee on Energy
and Commerce. The bill is moving relatively quickly through the House,
though it is unlikely that it will pass in its current iteration.
DATA was introduced as a means to require any company that holds
personal information to take reasonable measures to protect the data
and to provide notification to any individuals that may have been
affected by a breach of the data security measures. The definition of
personal information used in this bill is much less inclusive than that
used by many states in their notification laws. The definition used
here is the social security number, driver’s license or other state
issued ID or financial account number, access code or password. As
previously mentioned, eighteen states have already passed notification
laws. In general, the definition of personal information used by the
states has been more inclusive, including medical information and, in
some cases, biometric data as well. This bill would pre-empt all
existing state legislation on information security and notification.
A significant definition within the law is that of the term “security
breach.” In the bill, a security breach is defined as the
“unauthorized acquisition of data in electronic form containing
personal information that establishes a reasonable basis to conclude
that there is a significant risk of identity theft.” The bill does not
include a metric to define “significant risk.” Among consumer groups,
this lack of definition causes worries that the bill is concerned more
with the appearance of data accountability than with actual consumer
protection.
Another important definition within the text of the bill, is that of
“information broker.” In essence, any company that collects personal
information of individuals who are not customers for the purpose of
selling or otherwise transmitting that information to another party is
considered an information broker. The term “data aggregator” has also
been used in this regard. The implications for the Payment Services
Industry are clear. The definition used in this bill can be used to
describe a vast number of companies in the industry.
The bill is separated into several sections, or “titles,” designed to
illuminate the responsibilities of organizations collecting personal
information. The major provisions of the legislation include General
Security Policy and Procedures, Federal Trade Commission Review,
Individual Access to Information, and Security Breach Notification.
Following is a brief summary of each of those provisions.
General Security Policy and Procedures
The bill would require all persons engaged in interstate commerce that
stores any personal information in electronic form to create and
implement general information security policies and procedures. The
policy is to be commensurate with the size and complexity of the
business, current technology and practice. The cost of implementing
the safeguards should also be commensurate with the size of the
business and the activities in which the business is engaged. The
policy must include practices for handling and disseminating the data.
According to the bill, the organization should appoint one individual
to be tasked with the management of information security. Each
organization is responsible for creating a process for identifying new
vulnerabilities and countering the risk to the data. The bill
suggests the use of encryption to mitigate the risk to the organization
and to the data.
Federal Trade Commission Review
All information brokers must submit their information security policies
to the FTC for review annually. Information brokers are defined as “a
commercial entity whose business is to collect, assemble, or maintain
personal information concerning individuals who are not customers of
such entity for the sale or transmission … to a third party.” In the
event of a security breach, the FTC will conduct an audit of the
information security practices of the affected company. According to
the language of the bill, the FTC may conduct additional audits as need
for up to 5 years, until the practices of the company are brought into
compliance with the law.
Individual Access to Information
At least once per year, in response to the request of the individual,
the information broker must provide the individual with the means to
review any personal information about that individual that is held by
the information broker. This must be provided at no cost to the
individual making the request. The broker must also provide clear
notice on its website as to how that information can be obtained.
Further, consumers must be given the means to dispute inaccurate
information that is maintained by the broker. Once the individual has
filed a written request disputing the information, such dispute must be
included in any transmission of the data by the information broker.
Security Breach Notification
A breach of security is defined as “the unauthorized acquisition of
data…that establishes a reasonable basis to conclude that there is
significant risk of identity theft…” Upon discovering any breach of
personal information, any individual or organization must notify each
person whose information was compromised as well as the Federal Trade
Commission. Additionally, a notice must be placed on the website that
includes a toll-free telephone number at which individuals can acquire
information regarding the security breach. Additionally, in the event
that financial account data is compromised the information broker must
notify the institution at which the account is held. Notification must
be made in a reasonably timely manner.
The manner and content of the notification is also prescribed in the
bill. Notification of the breach can be made via written notice or
email, provided the individual in question has consented to be
contacted via email. The notification will include a description of
the information that was compromised, a telephone number to call for
information about the breach, contact information for major credit
reporting agencies and contact information for the Federal Trade
Commission. Alternative means of notification can be used in the
following circumstances: (1) excessive cost of direct notification as
prescribed by the FTC and (2) lack of enough information to contact
individuals directly. If alternative contact methods are used, the
notification must include a notice in print and broadcast media where
the victims of the compromise reside and a telephone number that
individuals can call to determine if their information was compromised.
In addition to the notification provisions cited above, organizations
or persons that have detected a breach must provide credit reports to
affected individuals within two months of the compromise. The
organization must continue to provide credit reports to affected
individuals on a quarterly basis for two years. The compromise must
also be reported to the FTC, which will then post a notice of the
compromise on the Commission’s website.
The existing bill has a sound foundation, but is likely to spark a
great deal of controversy on both sides of the issue. On the consumer
side, the lack of any defined metric for “significant risk” is clearly
not acceptable. In a case in California the judge ruled that the CSSI
breach did not pose a significant risk of identity theft, thereby
notification to affected consumers was not required. Again, it is
important to remember that the CSSI breach exposed not just account
numbers, but full magnetic strip data.
If that case did not constitute significant risk, then the threshold for such must be unreasonably high
and extremely vague.
On the other hand, business interests may also have reason to complain
about the bill in its existing form. It could be argued that the
clause requiring FTC review of security programs is prematurely
punitive. FTC review is often a result of current FTC settlements in
which a company has lost or exposed consumer data. It may be said that
requiring companies to submit their security programs for review before
any breach occurs is enacting punishment before any transgression is
committed. They may also reject the notion of providing credit reports
for two years subsequent to any breach that may occur. The cost to
such a provision may be seen as prohibitively expensive.
Regardless of the above arguments, the fact remains that an omnibus
data security bill will be passed. This despite the objections from
either side. It is in the best interest of all companies storing
personal data to ensure that their security “house” is in order before
the deadlines are imposed.
|
