Bills in the 110th Congress on notice of security breach and other data security issues


Key Issues on Financial Privacy and Identity Theft in Congress – 2007

This summary discusses the major data privacy and identity theft issues under debate in the 110th Congress and outlines the key features of many of the 2007 federal data privacy bills.
* Notice of breach to individuals. Individuals need to know when there is a breach of the security of their sensitive personal information such as a Social Security number, government identification number, payment card information, or account number which provides access to finances or to financial information. Once the individual gets the notice, he or she can take steps to prevent or detect identity theft. A strong notice of breach requirement creates an incentive for both companies and government agencies to work to prevent future security breaches.
* No *trigger* on the obligation to give notice. The strongest state notice of breach laws, including those in California, New York and Illinois, require notice when the security of certain types of sensitive information has been breached. Many of the federal bills add an additional *risk standard* that will eliminate notice of some security breaches involving sensitive personal information. Under a *trigger* approach, a business doesn*t have to give notice unless it determines that the breach creates a reasonable or even a higher level of a risk of identity theft or other harm. Consumers Union calls a risk trigger “don’t know, don’t tell” because it excuses notice when there is insufficient information about the breach.
There are two responsible ways to consider risk without using a risk trigger. First, security breach notice is always limited by the types of data * notice only must be given about breaches of the most sensitive types of personal and financial data. Thus, there is no need for an additional risk test. Second, if there is to be a standard for risk beyond the type of data breached, then risk should be considered as an exemption rather than as an affirmative trigger. Under an exemption approach, a company with a security breach has to qualify for the exemption by showing that there is no reasonable risk of harm. Under this approach, insufficient information about the level of risk doesn*t eliminate the obligation to tell consumers about the breach.
* Security freeze. The security freeze is the most effective tool to prevent new account identity theft. A security freeze allows each consumer the choice to “freeze” or lock access to his or her credit file against anyone trying to open up a new account or to get new credit in the name of the consumer. When a security freeze is in place, an identity thief can’t open a new account in the victim’s name because the potential creditor or seller of services can’t check the consumer’s credit. The consumer may temporarily or permanently lift the freeze when he or she is applying for credit.
As of May 2007, thirty six states and the District of Columbia had enacted security freeze laws, and 28 of the 36 state laws make the freeze available to all consumers. Congress should give all consumers the right to low cost, easy to use security freeze. In the meantime, the Federal Trade Commission must inform and educate consumers about this right which is already available to so many consumers.
A strong security freeze is:
 Free or low cost ($0 – $5) to place
 Free of all fees to ID theft victims
 Free of fees to lift the freeze so that the consumer can use his or her own credit record.
 Easy to place and lift by regular mail, telephone, or electronic means as selected by the consumer.
 Guarantees a fast lift * within 15 minutes when requested by phone or by electronic means.
* Protection of Social Security numbers. The Social Security number is the key to an individual*s financial front door. Consumers Union believes it is time to get the Social Security number out of the wallet, out of the mailbox, out of the marketplace, out of public records, and off the Internet. Identity theft could be reduced by effective restrictions on who can collect the Social Security number and how it can be used, as well as by stopping the unnecessary use of four digits or more of the SSN as a customer identifying number and on identification cards, pay stubs, and in mailings.
* Access and correction of data broker files. Data brokers collect and sell a wide range of information on individuals * which may include financial and biometric data, as well as arrest records, health, and employment records. Consumers don*t yet have a right to see or correct all of the files that data brokers hold on them.
* Information security safeguards. Federal law requires that financial institutions adopt appropriate physical, technical, and administrative safeguards for nonpublic personal information about customers. Many of the federal bills would require that companies which hold specific types of data about individuals must have a security safeguards policy. These federal proposals must be carefully crafted to avoid disrupting state data protection laws. As new uses are made of sensitive data, states need the freedom to develop new responses. A general obligation on companies to have and follow a policy to safeguard sensitive data should not displace more specific state law requirements prohibiting collecting certain types of sensitive information or from using that information in certain ways.
* Preemption. States have pioneered consumer protection laws to increase data privacy and to fight identity theft. State legislatures have developed and enacted laws requiring notice of security breach, security freeze laws, restrictions on the printing of SSNs on cards and in mailings, and other innovations. Further state progress is essential to fighting identity theft. When Congress deprives state laws of effect, this is called preemption. Identity thieves are fast-acting. Broad federal preemption in a data security law could stop states from keeping up with criminals. This is a particular risk for preemption that goes beyond the giving of security breach notices. Congress could do much more harm than good if it enacts weak federal standards that eliminate existing and new state law protections, particularly in the areas of information safeguards, the security freeze, restrictions on the collection or use of SSNs, and other areas beyond notice of breach.
* Dual Enforcement. Strong law enforcement protects consumers and increases the incentive of companies to follow the law. Any federal bill should at least allow for enforcement by state Attorneys General.
Summary of ID theft bills under active consideration in House and Senate in 2007 (as of May 18, 2007)
H.R. 958, the Data Accountability and Trust Act (DATA) – CU Supports (http://www.consumersunion.org/pdf/dingell_barton2007.pdf)
Introduced February 8, 2007. To be heard in the House Energy & Commerce Committee.
Lead sponsors: Representatives Mr. Rush, Mr. Stearns, Ms. Schakowsky, Mr. Dingell, Mr. Barton Of Texas, Mr. Markey, Mr. Gordon, Ms. Eshoo, Mr. Stupak, Mr. Gene Green of Texas, Ms. Degette, Mrs. Capps, Mr. Doyle, Ms. Solis, Mr. Gonzalez, Mr. Inslee, Ms. Baldwin, Ms. Hooley, Mr. Butterfield, Mr. Hastert, Mrs. Bono, Mr. Terry, Mr. Burgess, and Mr. Engel.
Notice of security breach:
* Persons engaged in interstate commerce must notify individuals of security breaches involving sensitive personal information.
* Eliminates notice if the breached entity *determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”
* Encryption of data, and other method identified by the FTC, which renders data in electronic form unreadable or indecipherable, establishes a presumption of no reasonable risk of ID theft, fraud, or other unlawful conduct after a breach. Presumption is rebuttable by facts demonstrating that the data security method is reasonably likely to be compromised.
* Doesn*t require notice of breach for paper records.
* Provides substitute notice instead of individual notice for entities with less than 1,000 records and also when direct notification is not feasible due to excessive cost as determined by the FTC.
* Breach notice must include a toll free phone number.
* Breached entity must give consumer free quarterly credit reports for two years on request.
Data brokers:
* Data brokers must submit their security policies to the FTC after a data breach. Also requires a post-breach audit of data broker information security practices.
* Requires a data broker to use reasonable procedures to verify the accuracy of the personal information it collects.
* Gives consumers free annual review of the personal information about them maintained by a data broker, and requires notice of this right on the data broker*s website.
* Creates the right to dispute the contents of data broker files; requires data brokers to independently verify disputed information that can be verified; is silent on the obligation to correct errors found in that dispute process.
* FTC to issue regulations to create an auditable record of who has accessed electronic personal information from a data broker.
* Bars pretexting by information brokers.
Safeguards:
* FTC to enact regulations requiring persons engaging in interstate commerce that own or possess data in electronic form containing personal information on more than 10,000 persons to have policies and procedures for information security practices for information in electronic or digital form.
* Authorizes but does not require the FTC to issue regulations on a standard method for the destruction of obsolete paper documents and other non-electronic data if it makes certain findings.
Security freeze:
* Not addressed in this bill.
SSN restrictions:
* Not addressed in this bill.
Enforcement:
* Enforcement by the FTC and by state Attorneys General.
* Civil penalties of up to $11,000 per violation and up to $5 million total.
Impact on state laws protecting consumers:
* Displaces state laws that expressly require information security practices for data covered by the bill if those practices are similar to those in the bill. Also displaces state laws that require notification to individuals of a security breach by those entities covered by the bill. Other state laws remain undisturbed.
Other:
Expires ten years after the date of enactment.
S. 495, Personal Data Privacy and Security Act - CU Supports (http://www.consumersunion.org/pdf/S495.pdf)
Status: Reported by Senate Judiciary Committee May 23, 2007; awaiting action by the full Senate.
Lead sponsors: Senators Leahy, Specter, Feingold, Schumer, Sanders, Brown, and Cardin.
Notice of security breach:
* Businesses engaged in interstate commerce and federal government agencies must notify individuals of security breaches involving sensitive personally identifiable information.
* Exemption to notice if the breached entity submits a risk assessment in writing to the U.S. Secret Service and that risk assessment concludes that there is no significant risk that the breach has or will result in harm to those individuals whose information was subject to the security breach.
* When the data is encrypted or another method meeting effective industry standards has rendered the data indecipherable, this creates a presumption that no significant risk exists.
* The party giving the notice of security breach must demonstrate that any delay was justified.
* Notice should be given no later than 45 days after breach is discovered.
* Breach notice must include a toll free phone number.
* Makes knowingly covering up a breach a crime.
* Does not require that services such as periodic free credit reports be provided to individuals whose information was breached.
Data brokers:
* Gives individuals the right to review their data broker files for a reasonable fee, plus the right to dispute and correct inaccuracies.
* Requires third parties who take adverse action based on information in a data broker file to notify the individual.
Safeguards:
* Establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personal information in electronic or digital form. This requirement applies only to entities holding information on more than 10,000 U.S. persons.
Security freeze:
* Not addressed in this bill.
SSN restrictions:
* Not addressed in this bill
Enforcement:
* Provides for enforcement by state Attorneys General.
* Civil penalty of not more than $1,000 per day per individual up to $1,000,000 per violation.
Impact on state laws protecting consumers:
* Displaces state laws related to notification of a security breach, except preserves state laws for additional victim protection assistance provided for by state law. Displaces all state laws relating to individual access to and correction of personal electronic records held by data brokers. Displaces state law requirements with respect to administrative, technical and physical safeguards on sensitive personally identifying information, except those adopted under the Gramm-Leach-Bliley Act.
S. 1178, Identity Theft Protection Act * CU has expressed concern about the notice standard (http://www.consumersunion.org/pdf/S1178.pdf)
Status: Introduced April 20, 2007. Ordered to be reported by Senate Commerce Committee April 25, 2007.
Lead Sponsors: Senators Inouye, Stevens, Pryor and Smith.
Notice of breach:
* Requires private entities and federal agencies to notify individuals of a security breach only when the breached entity *determines that the breach of security creates a reasonable risk of identity theft.* In making this determination, breached entity may consider whether the data is usable or could be made usable.
* Allows substitute notice if the covered entity does not have sufficient contact information.
* Covers data in any form.
* Breach notice must include a toll free phone number.
* Notice must be given in the most expeditious manner but not later than 25 business days after discovery of the breach by the notifying entity.
* Does not require that services such as periodic free credit reports be provided to individuals whose information was breached.
Data brokers:
* Not addressed in this bill.
Safeguards:
* Requires covered entities and federal agencies to develop, implement, maintain, and enforce a written program for the security of sensitive personal information.
Security freeze:
* Allows all individuals to place a security freeze on their credit files for a fee of up to $10 per credit reporting agency to place the freeze, with two free temporary lifts per consumer reporting agency per year, plus $5 for additional temporary lifts. No fee to remove the freeze.
* No freeze fees for ID theft victims who request the freeze in writing, no fees for seniors, or for active duty military personnel and their spouses.
* Freeze may be placed in writing, by phone, or by a secure electronic connection, and lifted in writing or by a secure electronic connection.
SSN restrictions:
* Prohibits the solicitation of an SSN from an individual if another identifier can reasonably be used, but exempts from this rule use of the SSN in identification, verification, accuracy or identity proofing procedures and certain other uses.
* Prohibits display of SSN on employee or student identification card or tag and on state driver*s licenses.
* Bans sale, purchase, provision and display of SSNs to the general public unless there is consent or certain other exceptions.
* Defines SSN to exclude SSNs *to the extent that they are included in a publicly available information source, such as*government records.* This appears to mean that all of the restrictions pertaining to SSNs do not apply to SSNs included in public records.
* The above SSN restrictions do not apply to government entities.
* Bans new contracts by government for prison labor arrangements that expose SSNs to prisoners.
Enforcement:
* Provides for enforcement by state Attorneys General.
Impact on state laws protecting consumers:
* Displaces state laws that require a covered entity to: notify individuals of security breaches; or to develop, implement, maintain or enforce information security programs to which the Act applies. Also displaces state laws prohibiting the collection, solicitation, sale, provision or display of SSNs of the types described in the section 11 of the Act.
* Preempts state security freeze laws only to the extent of inconsistency with the federal act.
S. 239, Notification of Risk to Personal Data Act of 2007
Status: Introduced January 10, 2007, Ordered to be reported by Senate Judiciary Committee May 3, 2007
Lead sponsor: Senator Feinstein
* Contains breach notice requirements which are substantially identical to S. 495.
S. 806, Consumer ID Protection and Security Act
Status: Introduced March 7, 2007, referred to Committee on Banking, Housing and Urban Affairs
Lead sponsor: Senator Pryor
* Contains security freeze provisions which were the basis for the freeze provisions found in S. 1178.
S. 1260 * Data Security Act of 2007
Status: Introduced May 1, 2007. Referred to the Committee on Banking, Housing, and Urban Affairs.
Lead Sponsors: Senators Bennett and Carper
Notice of security breach:
* Notice of security breach by private covered entities and federal agencies, each with a risk trigger containing a series of preconditions and exceptions.
* Risk trigger: Notice is only required if the breached entity determines the breached information *is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers.*
* *Substantial harm or inconvenience* requires material financial loss or civil or criminal penalties or the need to expend significant time and effort to correct erroneous information in order to avoid material financial loss, increased costs, or civil or criminal penalties.
* There is no security breach, and therefore no notice is required, if the sensitive information is *maintained or communicated in a manner that is not usable to commit identity theft or to make fraudulent transactions in financial accounts*.
* There is no security breach, and therefore no notice is required, if the information *is maintained or communicated in an encrypted, redacted, altered, edited, or coded form.*
* In determining whether there is reasonably likely to be misused causing substantial harm or inconvenience, the entity who had the security breach can consider *neural networks.* In other words, a business can decline to give notice if it thinks that a computer network is likely to prevent or detect fraudulent transactions.
* Notice can be given by writing, email or phone, under regulations to follow. No requirement that the person be reached by phone, or that email be used only if there has been federal E-Sign consent or even that the parties regularly communicate only by email.
* Regulations to set forth when substitute notice can be given due to excessive cost.
Data broker:
* Not addressed in this bill.
Safeguards:
Covered entities and federal agencies shall implement, maintain, and enforce reasonable polices and procedures to protect the confidentiality and security of sensitive account information and sensitive personal information from the unauthorized use *that is reasonably likely to result in substantial harm or inconvenience to the consumer to whom such information relates.*
Security freeze:
* Not addressed in this bill.
SSN restrictions:
* Not addressed in this bill.
Enforcement:
* No state Attorney General enforcement.
Impact on state laws protecting consumers:
* Would displace all state laws *with respect to the responsibilities of any person* to protect the security of information relating to consumers, safeguard information related to consumers from potential misuse, investigate or provide notice of security breaches, or mitigate any loss or harm resulting from the unauthorized access or misuse of information relating to consumers.
Prepared by: Consumers Union Finanical Services Campaign
Posted date: June 4, 2007

For media or legislative inquiries please contact:
Gail Hillebrand, (415) 431-6747, hillga@consumer.orq
Jeannine Kenney, (202) 462-6262, kennje@consumer.org