On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," (“DATA”) which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud. The proposed legislation has three primary goals:
First, DATA would put into place a federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the Federal Trade Commission (“FTC”) if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements.
Second, DATA would require that those firms that store personally identifiable information to have in place security policies and procedures to ensure that information is adequately protected. These proposed provisions largely track those already in place in the Gramm-Leach-Bliley Act.
Third, DATA has added provisions related to consumers’ ability to review and correct misinformation held by a firm. Similar to the right to review and protest information contained in credit reports under the Fair Credit Reporting Act, consumers are allowed to point out incorrect “personal information” a firm maintains.
Under DATA, the FTC will be directed to pass regulations and guidance implementing and interpreting many of the specifics, and would be granted civil enforcement authority through its power under the FTC Act to prevent unfair and deceptive trade practices. In addition, DATA would empower state attorneys general to bring civil actions to enforce its provisions with regard to violations against residents of their respective states. Penalties would be substantial. The failure of any covered organization to implement a comprehensive data security program or of data brokers to implement requirements specific to them would carry a maximum penalty of $11,000 per violation -- which in the case of the data security program would be $11,000 per day -- up to a maximum of $5,000,000. Failing to comply with the breach notification provision would carry a penalty of up to $11,000 per failed notification, up to a maximum of $5,000,000, which could theoretically be reached by an unreported breach of the personal information of only 455 individuals.
The Senate Judiciary Committee last month approved two bills similar to DATA. While there are some differences in those proposals, all three bills seem to enjoy some bipartisan support. Although the full Senate chamber is unlikely to vote on the bills for some time, proponents are now likely to point to the momentum generated by the passage of DATA to bring the issue before the full Senate sooner rather than later.