Practically from the moment that ChoicePoint and its data breaches first hit the national consciousness last year, Congress has been trying to find the right way to protect the data handled by information brokers and to set standards for notification when a security breach occurs (see my June 2005 column on the topic). Two new measures to do just that have come out of committee and await voting in the House of Representatives.
The two bills approach the problem in different ways. The first, the Financial Data Protection Act (H.R. 3997), amends an existing law--the Fair Credit Reporting Act--while the other, the Data Accountability and Trust Act (H.R. 4127, or DATA) creates a new law. Both measures go beyond breach notification and introduce new regulations for the affected industries, and both would supersede anything at the state level.
One of the main points of debate for any data protection bill is about notification. Specifically, when is it okay not to notify people whose data may have been compromised? Naturally, businesses and consumer advocates set the bar at different levels. Businesses seek a risk assessment approach that would require notification about a security breach only when it's determined there's a high risk the breach will lead to (or has led to) identity theft and fraud. Consumer advocates, in contrast, would prefer either notification in all cases, or when there's a possible or reasonable risk of damage from the breach.
DATA currently seems to offer one of the more reasonable paths to compromise, and thus passage; it has even garnered qualified approval from a few consumer groups.
DATA requires the Federal Trade Commission to set standards for the safeguarding of information held by data brokers. Among other things, the FTC standards would require a data broker to create a security policy that addresses how it collects, uses, sells, or otherwise disseminates information; require that a data broker designate a person within the organization who would be responsible for managing the security of the information; and provide for auditing of a data broker's internal security in order to identify and address vulnerabilities. The FTC would then collect the security policies of the firms involved, and would also have the authority to review a company's security practices following a data breach.
There's a nice bonus for consumers, too: Under this bill, a consumer would be entitled to one free annual report detailing the information that data brokers hold, and would have a means of correcting any included misinformation. To my knowledge, this is the only bill that makes the information report free.
The notification language in the bill is not ideal, but it's not too bad. Basically, it calls for notification of affected individuals whenever there's a "reasonable basis to conclude that there is a significant risk" of identity theft. Encryption of the stolen data negates the risk (encrypted data is also exempt in the landmark California disclosure law), but the proposed law states that if the encryption key has also been compromised--or is likely to be--then you go right back to having that reasonable risk.
The Financial Path
The Financial Data Protection Act does most of its work by amending the Fair Credit Reporting Act and by expanding the entities covered to include "consumer reporters," a category that includes basically any individual or organization that's in the business of collecting and selling information. Overall, it's a far more complicated bill than DATA, and it gives corporations slightly more wiggle room in determining whether a breach is serious enough to require notification.
Like DATA, this bill would require that companies assess their security and vulnerability, and provide reasonable security and confidentiality measures for the information they hold. A nice consumer bonus here, too: The legislation would require the company reporting a breach to give consumers who request it 6 months of free credit monitoring.
This bill calls on the Secretary of the Treasury, the Federal Reserve, and the FTC to develop and implement standards and guidelines for the organizations that the act covers. It also tries to harmonize its own provisions with those in the Gramm-Leach-Bliley Act, which helps protect the personal financial information that financial institutions hold. The attempt alone is good: Given that the act aims to amend existing financial regulations, there's great potential for overlap and contradictory rules. But that's also an argument against taking this route.
Both bills have some good points, but DATA's direct approach gives it an edge, in my opinion. Given that three other bills have stalled in the Senate after getting out of committee, however, neither of these proposals may win approval this year in any case.
Meanwhile, Back at the IRS...
While Congress looks to tighten data sharing rules, the Internal Revenue Service plans to loosen its own. The agency has recently, and quietly, discussed plans to allow tax preparers such as H&R Block and individual accountants to sell the data they collect. These businesses would have to get your approval first, however--that's the safeguard.
So, no worries, right? Only the people who expressly opt-in will be bothered. Well, yes and no. Consumer advocacy groups are concerned because they know that when you go to a tax preparer of any kind, the tendency is to shove paper at the agent and then sign whatever gets handed back, with attention paid only to the amount of the refund or tax due. If your tax preparer is even a bit unscrupulous, they could hand you a release form at the bottom of the tax return stack, and watch you sign away your data without being truly aware of what you're doing. The proposed rules do require a separate consent document with information only about the authorization to use the tax data, but still, there's some potential for abuse.
And you have to wonder exactly why the IRS is even thinking of doing this. There's little or no benefit to you and me--only to the people who want to turn your tax information into another product they can sell. Given the IRS's own poor track record with data security (see a recent Government Accountability Office report), you'd think the agency would be more leery of opening the data vaults to anyone.