28 March 2006
Committee on Energy and Commerce
United States House of Representatives
Washington, DC 20515
We are writing to urge you to vote in favor of the chairman’s substitute to H.R. 4127, the “Data Accountability and Trust Act (DATA),” at tomorrow’s full committee markup. The substitute represents a reasonable compromise that will provide consumers with some significant protections from the harms that can arise from preventable data breaches, such as the over 150 that came to light in 2005 alone, while setting reasonable limits on the responsibilities of businesses.
We strongly support the important right this bill gives individuals to review their data broker files, and we urge you to oppose any attempt to weaken or strike this section of the amendment; indeed, if anything, we believe this language could be clarified in some respects to ensure against unintended loopholes. Currently, data brokers like ChoicePoint are unregulated when they act in areas outside of the Fair Credit Reporting Act (FCRA). They gather and sell personal information on almost all Americans in the form of detailed dossiers that, as we know from regular news reports, are vulnerable to security breaches.
Individuals have no way of knowing what information is being held on them, why it is being held, to whom it is being sold, or whether it is correct. The records collected by data brokers may include the information in a typical consumer credit file (personal information, financial payment history, liens and bankruptcies), as well as other information, such as criminal records, biometric data (fingerprints and other DNA samples), and health records. Data brokers sell this information to private companies, private investigators, and even the government itself. The information can directly affect individuals; for example, an individual could be incorrectly associated with a criminal suspect based on inaccurate information in his or her data broker file. As a result, it is critical that individuals be able to review their files and correct any inaccuracies. H.R. 4127 allows individuals to do so annually at no cost.
We are also pleased with the compromise “trigger” language relating to when a business must notify individuals of a breach of their personal information. Notification is critical because it provides a marketplace incentive for companies to keep our information secure and tells individuals that they are at increased risk for identity theft so that they can take reasonable steps to prevent becoming victims. For example, individuals who receive a notice of breach letter might monitor their credit closely, check their financial statements frequently, and possibly place a security freeze on their consumer credit files if they live in a state that allows it. This lets individuals to stay one step ahead of potential identity thieves.
H.R. 4127 includes a compromise policy in which a company can be excepted from the individual notification requirement if it determines that there is no reasonable risk of harm to individuals. This approach should ensure that uncertainty about the circumstances surrounding a security breach does not become an excuse for failing to notify individuals about the breach.
The substitute also expands the enforcement section to allow state Attorneys General to bring enforcement actions. This is critical, because a strong enforcement mechanism is necessary to ensure that covered entities have incentives to comply with the law.
There are, of course, changes we would like to see to the bill, particularly with respect to reducing preemption and strengthening enforcement. However, we believe that H.R. 4127 represents a reasonable compromise. Please support H.R. 4127 in markup, and support strengthening and oppose weakening amendments.
Consumer Federation of America
Privacy Rights Clearinghouse
Center for Democracy & Technology