H.R. 2221 (111th): Data Accountability and Trust Act

Apr 30, 2009 (111th Congress, 2009–2010)
Died (Passed House)
Bobby Rush
Representative for Illinois's 1st congressional district
Read Text »
Last Updated
Dec 09, 2009
39 pages
Related Bills
H.R. 958 (110th) was a previous version of this bill.

Referred to Committee
Last Action: Feb 08, 2007

H.R. 1707 (112th) was a re-introduction of this bill in a later Congress.

Referred to Committee
Last Action: May 04, 2011


This bill was introduced in a previous session of Congress and was passed by the House on December 8, 2009 but was never passed by the Senate.

Introduced Apr 30, 2009
Referred to Committee Apr 30, 2009
Reported by Committee Sep 30, 2009
Passed House Dec 08, 2009
Full Title

To protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.


No summaries available.

Primary Source

THOMAS.gov (The Library of Congress)

GovTrack gets most information from THOMAS, which is updated generally one day after events occur. Activity since the last update may not be reflected here. Data comes via the congress project.


Get a bill status widget for your website »


Click a format for a citation suggestion:


H.R. stands for House of Representatives bill.

A bill must be passed by both the House and Senate in identical form and then be signed by the president to become law.

The bill’s title was written by its sponsor.

GovTrack’s Bill Summary

We don’t have a summary available yet.

Library of Congress Summary

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress.

12/8/2009--Passed House amended.
Data Accountability and Trust Act -
Section 2 -
Requires the Federal Trade Commission (FTC) to promulgate regulations requiring each person engaged in interstate commerce owning or possessing electronic data containing personal information, or contracting with a third party to maintain such data, to establish security policies and procedures.
Requires such policies and procedures to provide for: (1) a security policy with respect to the use, sale, dissemination, and maintenance of data; (2) an officer responsible for information security oversight; (3) vulnerability testing of security programs; and (4) a process for disposing of obsolete electronic and non-electronic data containing personal information.
Deems an information broker to be in compliance with the appropriate provisions of this Act if such broker is in compliance with: (1) any other federal information security statutes which provide similar or greater protections than those required under this Act; or (2) relevant provisions of the Fair Credit Reporting Act (FCRA).
Requires information brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request. Authorizes the FTC to conduct audits of the information security practices of such information broker, or require independent audits of their practices.
Requires information brokers to:
(1) establish procedures to verify the accuracy of collected information that specifically identifies individuals;
(2) provide annually, and without cost, to individuals whose personal information it maintains a means to review it;
(3) place a notice on the Internet instructing individuals how to request access to such information;
(4) correct inaccurate information upon request; and
(5) in the case of information brokers that do use data for marketing purposes, allow individuals to decide if their information can be used.
Sets forth limitations to such access rights and website notice requirements.
Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information.
Prohibits information brokers from obtaining or disclosing, or soliciting to obtain, personal information by false pretenses (pretexting).
Exempts from the provisions of this section a service provider serving only as the conduit for the transmission, routing, or transient storage of information.
Section 3 -
Requires any person engaged in interstate commerce owning or possessing data in electronic form to notify, within 60 days following the discovery of a security breach: (1) the FTC; and (2) each individual whose personal information was acquired or accessed.
Requires a third party agent maintaining or processing personal information in electronic form to notify the person owning or possessing the data in the event of a security breach.
Requires a service provider transmitting, routing, or providing transient routing of personal information owned or possessed by another person to notify the person who initiated the connection or transmission in the event of a security breach.
Requires a person required to provide notification to more than 5,000 individuals to notify the major credit reporting agencies of the timing and distribution of the notices.
Sets forth notification provisions, including: (1) notification timeliness and content; (2) notification delay for law enforcement or national security purposes when notification would threaten law enforcement or national security; and (3) substitute notification.
Requires a person providing notice to individuals to provide consumer credit reports or a credit monitoring service that enables consumers to detect misuse of their personal information.
Exempts a person from such notification requirements if following a security breach a person determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.
Establishes a presumption that there is no reasonable risk of identity theft, fraud, or other unlawful conduct if the personal information in electronic form subject to a security breach is unusable, unreadable, or indecipherable to an unauthorized third party. Directs the FTC to issue rules identifying security methodologies or technologies which render data unusable, unreadable, or indecipherable for the purpose of establishing such presumption.
Directs the FTC to: (1) place a security breach notice on its website if in the public interest; and (2) study the practicality and cost effectiveness of providing notice in languages in addition to English.
Section 4 -
Limits the application of sections 2 and 3 of this Act to persons, partnerships, or corporations over which the FTC has authority pursuant to its authority to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.
States that a violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice.
Prohibits the FTC, when promulgating rules under this Act, from requiring the deployment or use of any specific products or technologies.
Provides for civil action enforcement by the attorney general of a state, or an official or agency of a state, for violations of section 2 and 3. Sets forth: (1) methods for calculating civil penalties; and (2) limitations and obligations on state actions.
Establishes as an affirmative defense to certain enforcement or civil actions under this section that all of the personal information compromised in a particular security breach is lawfully acquired public record information.
Section 5 -
Defines "information broker" as:
(1) a commercial entity (or its contractor or subcontractor) whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell or provide access to such information to any nonaffiliated third party.
States that such definition does not include a commercial entity to the extent that such entity processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to provide benefits for its employees or transact business with its customers.
Defines "personal information" as an individual's first name or initial and last name, address, or phone number, in combination with any one or more of the following data elements: (1) social security number; (2) driver's license number, passport number, military identification number, or other government-issued identity document; and (3) financial account number or credit or debit card number and any related security access code or password.
Defines "service provider" as a person providing electronic data transmission, routing, intermediate and transient storage, or connections to its system, where the person providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and such person transmits, routes, stores, or provides connections for personal information in a manner that personal information is undifferentiated from other types of data.
Section 6 -
Preempts any provision of a state law to the extent that the state law requires: (1) information security practices and treatment of data containing personal information similar to any of those required under section 2 of this Act; and (2) notification to individuals of a security breach resulting in unauthorized access to or acquisition of electronic data containing personal information.
Prohibits any person other than a person specified in section 4 of this Act from bringing a civil action under state law if such action is premised upon the defendant violating any provisions of this Act. (States that this provision shall not be construed to limit the enforcement of any state consumer protection law by an attorney general of a state.)
States that this Act shall not be construed to: (1) limit FTC authority; or (2) preempt state trespass, contract, tort, or fraud law.
Section 7 -
Makes this Act effective one year after its enactment.
Section 8 -
Authorizes FY2010-FY2015 appropriations to carry out this Act.

House Republican Conference Summary

The summary below was written by the House Republican Conference, which is the caucus of Republicans in the House of Representatives.

No summary available.

House Democratic Caucus Summary

The House Democratic Caucus does not provide summaries of bills.

So, yes, we display the House Republican Conference’s summaries when available even if we do not have a Democratic summary available. That’s because we feel it is better to give you as much information as possible, even if we cannot provide every viewpoint.

We’ll be looking for a source of summaries from the other side in the meanwhile.

Use the comment space below for discussion of the merits of H.R. 2221 (111th) with other GovTrack users.
Your comments are not read by Congressional staff.

comments powered by Disqus