• 

  News and Publications

  • Media Room
  • News: Federal
  • News: State
  • Publications
  • Subscriptions

• 

  Seminars and Services

  • Convention
  • Event Calendar
  • Services

• 

  Government Affairs

  • Advocacy
  • Compliance
  • Issue Resources
  • Legislative Reports
  • Public Policy
  • Political Action

• 

  About NAMIC

  • Membership
  • History
  • Member Directory
  • Employment
  • Affiliates
  • Contact

Read	E-mail Print

last updated on June 12, 2006

DATA SECURITY BREACH

THE ISSUE IS. Identity theft is the fastest growing crime in the country and with the highly publicized security breaches from ChoicePoint, LexisNexis, Bank of America and Citibank, regulators have opened investigations into the data security failures. The latest data security failure occurred when a hacker accessed and compromised 40 million MasterCard International accounts that were serviced by CardSystems Solutions Inc.

IT'S IMPORTANT BECAUSE. The Federal Trade Commission estimates that 10 million Americans fall victim to identity theft year, therefore costing consumers and businesses more than $55 billion annually.

Financial information privacy remains a controversial and politically significant issue. The continued attention on privacy is leading to increasing awareness of the vulnerabilities of companies and their affiliates.

Congress is studying the issue and is beginning to introduce various pieces of legislation to address this dilemma. Among the key issues to be addressed are: 1) what breaches should trigger notifying customers, i.e. any unauthorized disclosure or disclosures that could lead to malfeasance such as identity theft; 2) should there be state functional regulation or if not, which federal agency should have jurisdiction to enforce notifications; and 3) will federal legislation preempt state laws?

The Senate Commerce, Science, and Transportation Committee passed S. 1408, which would require companies to notify consumers when their personal information is compromised and there is a "reasonable risk of identity theft." The legislation was introduced by Senators Gordon Smith (R-OR) and Bill Nelson (D-FL) and is also supported by Senate Commerce Committee Chairman Ted Stevens (R-AL) and Ranking Member Daniel Inouye (D-HI).

The Senate Judiciary Committee has passed two different identity theft bills. S. 1789, the Personal Data Privacy and Security Act of 2005, was introduced by Senate Judiciary Committee Chairman Arlen Specter (R-PA) and Ranking Member Patrick J. Leahy (D-VT). The legislation would allow consumers access to, and the opportunity to correct, any personal information held by data brokers. It would also require the government to establish rules protecting privacy and security when it uses data-broker information and to impose penalties on government contractors that fail to comply with such rules.

The other bill passed by the committee was S. 1326, introduced by Senator Jeff Sessions (R-AL).

S. 1326, the Notification of Risk to Personal Data Act, would only apply to computerized data and not paper. It would also require agencies and persons in possession of computerized data containing sensitive personal information, to disclose security breaches where such breach poses a significant risk of identity theft. The bill is not intended to modify, limit or supersede federal law, including Gramm-Leach-Bliley and the Fair Credit Reporting Act. The legislation permits civil remedies for failure to give proper notice, subject to a cap of $250,000 per breach. The bill also permits legal action by state attorneys general as well as allowing functional regulators to enforce compliance with the bill. There is a preemption of state laws that relate to electronic information security standards or notification of a security breach. This legislation is much narrower in scope than S. 1789.

Other legislation introduced in the Senate chamber is as follows:

• S. 115 was introduced by Senator Dianne Feinstein (D-CA). The Notification of Risk to Personal Data Act would require consumer notification in the event that sensitive, unencrypted personally identifiable information has been either acquired or accessed without authorization. The enforcement authority is delegated to the Federal Trade Commission (FTC), with damages limited to not more than $5,000 per violation, subject to a maximum of $25,000 per day. The bill also allows state attorneys general the right to bring claims for violations of the bill, does not fully preempt state laws and includes a carve out for California law, S.B. 1386.
• Senator Bill Nelson (D-NE) and Representative Ed Markey (D-MA) have jointly introduced S. 500/H.R. 1080, the Information Protection and Security Act. The bill directs the FTC to promulgate regulations governing the conduct of information brokers and the protection of personally identifiable information held by such brokers. State attorneys general may bring claims, with no mention of limits or caps, for violations of the regulations promulgated under the bill. The bill includes damages of $1,000 per violation and does not preempt state law.
• Senator Feinstein has also introduced S. 751, the Notification of Risk to Personal Data Act, which more closely mimics California S.B. 1386 that requires the notification of consumers in the event that an authorized person has acquired their personal information. The bill exempts agencies from the notification requirement for national security and law enforcement purposes. Data covered by the bill includes Social Security numbers, driver's license numbers, and credit card numbers. Violations would be subject to fines of $1,000 per individual whose personal data was compromised as well as $50,000 for each day that notification is delayed. The authority to enforce the notice requirements, including the assessment of fines, would reside with the FTC. The bill would also preempt state laws as they relate to notification.
• Senator Charles E. Schumer (D-NY) introduced S. 768, the Comprehensive Identity Theft Prevention Act. S. 768 creates an Office of Identity Theft within the FTC and authorizes the Office to take civil enforcement actions against those that violate the act. The bill also prohibits the solicitation, display, sale, purchase, or use of, and access to, Social Security numbers. The bill sets forth notification requirements regarding the unauthorized acquisition of, or the intention to share, an individual's sensitive personal information and place penalties on those who violate the requirements.
• Sens. Arlen Specter (R-PA) and Patrick Leahy (D-VT) introduced S. 1332, the Personal Data Privacy and Security Act of 2005. S. 1332 would address identity theft, data broker security standards, customer notification, and corporate use of Social Security Numbers. The bill would include provisions increasing penalties for identity theft involving electronic personal data; require entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; limit the buying, selling, and display of Social Security numbers without the consent of the individual whose number it is; prohibit companies from requiring individuals to use Social Security numbers as account numbers and limiting when companies can force individuals to disclose those numbers in order to obtain goods and services; and barring government agencies from posting public records that contain Social Security numbers on the Internet.
• S. 1216, the Financial Privacy Breach Notification Act, was introduced by Sen. Jon Corzine (D-NJ). The legislation would amend Gramm-Leach-Bliley to require a financial institution to promptly notify the customers, consumer reporting agencies, and the appropriate law enforcement agencies when a breach of personal information has occurred. The bill authorizes the FTC to enforce compliance with this Act.
• S. 1336, the Consumer Identity Protection and Security Act, was introduced by Sen. Mark Pryor (R-AR), which would require a consumer reporting agency to place a security freeze on a private information file when requested. The bill grants the FTC enforcement powers for violations of this act.

There has been plenty of activity on data security legislation in the House of Representatives.

• Rep. Melissa Bean (D-IL) introduced H.R. 1069, to require organizations to disclose any "unauthorized acquisition" of electronic data containing personal information. The legislation would amend Gramm-Leach-Bliley to require a financial institution to notify all affected customers, reporting agencies, the FTC and appropriate law enforcement agencies when a breach has occurred. The bill would also require a consumer reporting agency to maintain a fraud alert file to any consumer upon receiving notice of a breach of personal information. It also authorizes state Attorneys General to bring civil actions in Federal district court to enforce this act.
• H.R. 3140, the Consumer Data Security and Notification Act of 2005, was introduced by Rep. Bean as well as 16 cosponsors. H.R. 3140 would require notices to individuals when there is a breach of the security of non-public, sensitive information held by financial institutions or consumer reporting agencies, including data brokers. Notice is not required if the company finds that "misuse of the information is unlikely and continues to monitor the affected customers' accounts for unusual or suspicious activity. The enforcement mechanism is left to the Federal Trade Commission.
• Reps. Steven LaTourette (R-OH) and Darlene Hooley (D-OR) introduced H.R. 3374, the Consumer Notification and Financial Data Protection Act of 2005. The legislation would provide for the uniform and timely notification of consumers whose sensitive financial personal information has been placed at risk by a breach of data security, to enhance data security safeguards, to provide appropriate consumer mitigation services. The bill would also direct the FTC to promulgate regulations requiring a financial institution which maintains or possesses sensitive financial personal information for a business purpose to dispose of such information. H.R. 3374 would also preempt state laws.

The House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection passed a data security bill, H.R. 4127, the Data Accountability and Trust Act (DATA), in November by a party-line vote of 13-8. H.R. 4127 would instruct the Federal Trade Commission (FTC) to promulgate regulations that require each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information.

House Energy and Commerce Committee Chairman Joe Barton (R-TX) has promised that he will address privacy concerns in separate legislation to be introduced sometime this year with Rep. Cliff Stearns (R-FL), who chairs the House Subcommittee on Commerce, Trade, and Consumer Protection.

Also in November, House Financial Institutions and Consumer Credit Subcommittee Chairman Spencer Bachus (R-AL) held a hearing on H.R. 3997, which was introduced by Reps. Deborah Pryce (R-OH), Michael Castle (R-DE), Steven LaTourette (R-OH), Darlene Hooley (D-OR), and Dennis Moore (D-KS). The bill has also been endorsed by Rep, Michael Oxley (R-OH), chairman of the full committee. NAMIC has also endorsed the bill and has sent a letter to the Committee stating our support.

On March 17, 2006, the House Financial Services Committee approved H.R. 3997, the Financial Data Protection Act of 2005, by a vote of 48-17. H.R. 3997 applies to all entities regulated by the Fair Credit Reporting Act. The legislation would: prevent data breaches by mandating a national standard for the protection of sensitive consumer information; require institutions to notify consumers that their information has been compromised; and require that institutions provide consumers with a free six-month nationwide credit monitoring service upon notification of a breach related to sensitive identity information. The state functional regulators will enforce the legislation's provisions.

On the same day, May 24, the House Financial Services and Energy and Commerce Committees stripped out each other's version of data security legislation during separate markups and substituted the text of their own.

By voice vote, the Financial Services Committee inserted the text of its bill (H.R. 3997) in the Energy and Commerce bill (H.R. 4127) during its markup.

The Energy and Commerce Committee voted 42-0 to substitute the text of their bill (H.R. 4127) and insert the language into H.R. 3997.

To complicate matters, on May 25, the House Judiciary Committee approved by voice vote H.R. 4127, the Data Accountability and Trust Act (DATA). The bill that was approved was the original version of H.R. 4127, prior to the Financial Services Committee markup changes. Specifically, the DATA bill would: 1) require the FTC to promulgate regulations requiring companies to safeguard personal information; 2) require companies to notify consumers if their personal information is compromised by a breach; 3) require federal agencies to notify consumers if their personal information is acquired by an authorized person; 4) impose safeguards on information brokers; 5) preempt state laws; and 6) provide the FTC and state attorneys general with the power of enforcement.

The House Leadership has instructed the Financial Services, Energy and Commerce, and Judiciary Committees to craft a single measure that could go to the floor for debate after the Memorial Day recess.

NAMIC POSITION. The highly publicized security breaches have led the Congress to consider ways to reduce the frequency of such breaches and to ameliorate the adverse impact on those persons whose personal information has been compromised. NAMIC supports legislation that would establish a national standard for notifying consumers when a security breach has occurred and it is likely that the information will be misused. It is also important to ensure that any legislation does not create a burdensome process on either the financial institutions or consumers.

NAMIC also supports the privacy provisions contained in the Gramm-Leach-Bliley Act (GLBA) as well as the Fair Credit Reporting Act (FCRA). NAMIC believes that consumers deserve to know that the "nonpublic personal information" they submit to a financial institution, including an insurance company, will not be used in an inappropriate manner or obtained by any unauthorized person(s). However, NAMIC recognizes that, despite the best intentions and provisions contained in GLBA and FCRA, identity theft has become the fastest growing crime in the United States.