August 12, 2010

Honorable Jay Rockefeller, Chairman
Senate Committee on Commerce, Science, and Transportation
U.S. Senate
531 Hart Senate Office Building
Washington, DC 20510

Honorable Mark Pryor, Chairman
Subcommittee on Consumer Protection, Product Safety, and Insurance
U.S. Senate
255 Dirksen Senate Office Building
Washington DC 20510

RE: “Data Security and Breach Notification Act of 2010”

Dear Chairman Rockefeller and Chairman Pryor:

We are writing to thank you for your leadership on consumer data security and for your work on the “Data Security and Breach Notification Act of 2010.” We strongly support many of the provisions of the bill, and thank you for your ongoing efforts to provide consumers with increasing control over the way their electronic information is collected, transmitted, and stored.

This legislation represents a significant step forward in the effort to ensure that consumers’ privacy is protected.

We applaud the bill’s notification provisions, which require covered entities to provide notice of security breach within 60 days of the breach. The situations in which a covered entity may exceed this deadline are appropriate and narrowly tailored. The exemption in the bill, allowing covered entities to avoid the bill’s requirements to give notice of breach only as long as there is “no reasonable risk of identity theft, fraud, or other unlawful conduct,” is also narrowly tailored, although we note that a stronger breach standard is already in place in several large states.

We also support the bill’s definition of “personally identifiable information,” which
includes not only an individual’s name, in combination with one data element from the listed categories, but also an individual’s address or phone number, combined with one of the listed data categories. We believe including address and phone number is important due to the use of reverse search directories, which can reveal an individual’s name as long as an address or phone number is provided.

We are particularly pleased that the bill includes a focus on the activities of information brokers, defined as commercial entities whose business is to collect, assemble, or maintain personal information concerning individuals with the purpose of selling such information to unaffiliated third parties. The provisions requiring information brokers to submit their security policies to the FTC, as well to undergo a potential FTC post-breach audit, are particularly strong.

In addition, we support the provision instructing the FTC to promulgate regulations that would require information brokers to keep an audit log of all accessed and transmitted information.

These requirements give the Commission the tools necessary to monitor compliance and enforce the goals of this bill.

The prohibition on pretexting by information brokers is another important segment of the bill. Information brokers should never be able to obtain any personally identifiable information from consumers through unlawful or deceptive practices, and they should not be able to use other individuals to obtain information in this manner.

The provision allowing state Attorneys General and other state officials to bring civil actions on behalf of the residents of the State when there is reason to believe that the requirements of the bill have been breached is yet another strong feature of the bill. This provision increases the likelihood that non-compliant entities will be held responsible for the consequences of their data security practices, and will be required to pay restitution and damages to individuals harmed by their actions.

There are additional ways in which the bill could further secure computerized sensitive consumer personal information. For example, the bill could establish incentives for covered entities to minimize data collection and to destroy personal data after a specified period of time.

We would also like to note that some state laws go further in protecting consumer data security. As a result, we caution against including too much state pre-emption in the bill. The bill as currently drafted does preempt state laws to some degree, but we appreciate that it is reasonably narrowly tailored.

We would like to thank you again for your work on consumer privacy issues, and hope to work together with you in support of consumer privacy legislation.

Regards,
Ioana Rusu
Consumers Union