H.R. 2221 (111th): Data Accountability and Trust Act

Introduced:
Apr 30, 2009 (111th Congress, 2009–2010)
Sponsor:
Rep. Bobby Rush [D-IL1]
Status:
Died (Passed House)
See Instead:
This bill was re-introduced as H.R. 1707 (112th) on May 04, 2011.

The bill’s title was written by the bill’s sponsor. H.R. stands for House of Representatives bill.

(About Ads | Go Ad-Free for $5)
Status

This bill was introduced in a previous session of Congress and was passed by the House on December 8, 2009 but was never passed by the Senate.

Progress
Introduced Apr 30, 2009
Referred to Committee Apr 30, 2009
Reported by Committee Sep 30, 2009
Passed House Dec 08, 2009
Cosponsors
4 cosponsors (3R, 1D) (show)
Committees

House Energy and Commerce

Senate Commerce, Science, and Transportation

The committee chair determines whether a bill will move past the committee stage.

Full Title

To protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.

Summary

No summaries available.

Text

Read Bill Text »

Last updated Dec 09, 2009.
39 pages

Primary Source

View on THOMAS (The Library of Congress)

GovTrack gets most information from THOMAS, which is updated generally one day after events occur. Activity since the last update may not be reflected here.

Citation

Click a format for a citation suggestion:

GovTrack’s Bill Summary

We don’t have a summary available yet.

Library of Congress Summary

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress.

12/8/2009.
Section 2 -
Requires the Federal Trade Commission (FTC) to promulgate regulations requiring each person engaged in interstate commerce owning or possessing electronic data containing personal information, or contracting with a third party to maintain such data, to establish security policies and procedures.
Requires such policies and procedures to provide for:
(1) a security policy with respect to the use, sale, dissemination, and maintenance of data;
(2) an officer responsible for information security oversight;
(3) vulnerability testing of security programs; and
(4) a process for disposing of obsolete electronic and non-electronic data containing personal information.
Deems an information broker to be in compliance with the appropriate provisions of this Act if such broker is in compliance with:
(1) any other federal information security statutes which provide similar or greater protections than those required under this Act; or
(2) relevant provisions of the Fair Credit Reporting Act (FCRA). Requires information brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request.
Authorizes the FTC to conduct audits of the information security practices of such information broker, or require independent audits of their practices.
Requires information brokers to:
(1) establish procedures to verify the accuracy of collected information that specifically identifies individuals;
(2) provide annually, and without cost, to individuals whose personal information it maintains a means to review it;
(3) place a notice on the Internet instructing individuals how to request access to such information;
(4) correct inaccurate information upon request; and
(5) in the case of information brokers that do use data for marketing purposes, allow individuals to decide if their information can be used.
Sets forth limitations to such access rights and website notice requirements.
Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information.
Prohibits information brokers from obtaining or disclosing, or soliciting to obtain, personal information by false pretenses (pretexting).
Exempts from the provisions of this section a service provider serving only as the conduit for the transmission, routing, or transient storage of information.
Section 3 -
Requires any person engaged in interstate commerce owning or possessing data in electronic form to notify, within 60 days following the discovery of a security breach:
(1) the FTC; and
(2) each individual whose personal information was acquired or accessed.
Requires a third party agent maintaining or processing personal information in electronic form to notify the person owning or possessing the data in the event of a security breach.
Requires a service provider transmitting, routing, or providing transient routing of personal information owned or possessed by another person to notify the person who initiated the connection or transmission in the event of a security breach.
Requires a person required to provide notification to more than 5,000 individuals to notify the major credit reporting agencies of the timing and distribution of the notices.
Sets forth notification provisions, including:
(1) notification timeliness and content;
(2) notification delay for law enforcement or national security purposes when notification would threaten law enforcement or national security; and
(3) substitute notification.
Requires a person providing notice to individuals to provide consumer credit reports or a credit monitoring service that enables consumers to detect misuse of their personal information.
Exempts a person from such notification requirements if following a security breach a person determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.
Establishes a presumption that there is no reasonable risk of identity theft, fraud, or other unlawful conduct if the personal information in electronic form subject to a security breach is unusable, unreadable, or indecipherable to an unauthorized third party.
Directs the FTC to issue rules identifying security methodologies or technologies which render data unusable, unreadable, or indecipherable for the purpose of establishing such presumption.
Directs the FTC to:
(1) place a security breach notice on its website if in the public interest; and
(2) study the practicality and cost effectiveness of providing notice in languages in addition to English.
Section 4 -
Limits the application of sections 2 and 3 of this Act to persons, partnerships, or corporations over which the FTC has authority pursuant to its authority to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.
States that a violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice.
Prohibits the FTC, when promulgating rules under this Act, from requiring the deployment or use of any specific products or technologies.
Provides for civil action enforcement by the attorney general of a state, or an official or agency of a state, for violations of section 2 and 3.
Sets forth:
(1) methods for calculating civil penalties; and
(2) limitations and obligations on state actions.
Establishes as an affirmative defense to certain enforcement or civil actions under this section that all of the personal information compromised in a particular security breach is lawfully acquired public record information.
Section 5 -
Defines "information broker" as:
(1) a commercial entity (or its contractor or subcontractor) whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell or provide access to such information to any nonaffiliated third party.
States that such definition does not include a commercial entity to the extent that such entity processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to provide benefits for its employees or transact business with its customers.
Defines "personal information" as an individual's first name or initial and last name, address, or phone number, in combination with any one or more of the following data elements:
(1) social security number;
(2) driver's license number, passport number, military identification number, or other government-issued identity document; and
(3) financial account number or credit or debit card number and any related security access code or password.
Defines "service provider" as a person providing electronic data transmission, routing, intermediate and transient storage, or connections to its system, where the person providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and such person transmits, routes, stores, or provides connections for personal information in a manner that personal information is undifferentiated from other types of data.
Section 6 -
Preempts any provision of a state law to the extent that the state law requires:
(1) information security practices and treatment of data containing personal information similar to any of those required under section 2 of this Act; and
(2) notification to individuals of a security breach resulting in unauthorized access to or acquisition of electronic data containing personal information.
Prohibits any person other than a person specified in section 4 of this Act from bringing a civil action under state law if such action is premised upon the defendant violating any provisions of this Act. (States that this provision shall not be construed to limit the enforcement of any state consumer protection law by an attorney general of a state.) States that this Act shall not be construed to:
(1) limit FTC authority; or
(2) preempt state trespass, contract, tort, or fraud law.
Section 7 -
Makes this Act effective one year after its enactment.
Section 8 -
Authorizes FY2010-FY2015 appropriations to carry out this Act.

House Republican Conference Summary

The summary below was written by the House Republican Conference, which is the caucus of Republicans in the House of Representatives.

This summary can be found at http://www.gop.gov/bill/111/1/hr2221.

Summary

H.R. 2221 would require that parties electronically collecting consumers' personal information take steps to keep the data secure. The bill would require notification of affected consumers if there is a data breach. H.R. 2221 does allow law enforcement or national security agencies to delay notification under certain circumstances.

The bill directs the Federal Trade Commission (FTC) to create rules to require any person involved in interstate commerce who owns or possesses data containing personal information, or has a third party maintaining the data, to create procedures regarding information security practices to protect personal information. The bill clarifies that rules created by the FTC would require each data broker to submit security policies to the FTC if there is a security breach.

H.R. 2221 requires that following a security breach, any person involved in interstate commerce who owns or possesses data or a third party entity contracted to maintain data in electronic form containing personal information would have to notify each individual whose personal information was acquired by an unauthorized person and notify the FTC.

All security breach notifications would be made within 60 days, with limited exceptions. The notification requirement would not apply if the compromised information is considered unusable, unreadable or indecipherable by encryption or other security technology.

The measure specifies that the civil penalty cap that would apply to State enforcement of the bill would be $5 million for each violation. If a federal, State or local law enforcement agency determines that the notification required would impede a civil or criminal investigation, the notification would be delayed for 30 days. An agency would be able to revoke the delay or extend the period of time if needed. Additionally, if a federal national security agency or homeland security agency determines that a notification would threaten national or homeland security, the notification could be delayed for a period of time which the agency determines is reasonably necessary and requests in writing.

H.R. 2221 also creates a new procedure that would allow data information brokers to offer consumers the ability to prohibit their information from being used for marketing purposes.

The bill authorizes $1 million each year for the FTC between Fiscal Years 2010 and 2015.

 

Cost

There is no Congressional Budget Office (CBO) cost estimate available for this bill.

House Democratic Caucus Summary

The House Democratic Caucus does not provide summaries of bills.

So, yes, we display the House Republican Conference’s summaries when available even if we do not have a Democratic summary available. That’s because we feel it is better to give you as much information as possible, even if we cannot provide every viewpoint.

We’ll be looking for a source of summaries from the other side in the meanwhile.

The bill contains the following citations to other parts of U.S. law:

United States Code

The United States Code is the compilation of permanent laws enacted by Congress. Temporary and other non-permanent laws do not appear in the United States Code. (About half of the United States Code is the law itself, called positive law. The other half is merely a compilation of the laws but has no legal significance.)