Data Security


Issue
Surreptitious computer users, corporate error and other factors have lead to a number of high-profile personal data security breaches, where sensitive information leaves the control of merchants, banks or credit card companies. Congress is looking for the right balance between securing sensitive personal information and not hindering the ability of businesses to use more benign information for legitimate purposes.

AAF position
Data security breaches may be serious violations of one's financial, medical or other personal information. Or they may reveal individual and aggregate data about buying habits, marketing preferences and the like. This difference must be distinguished when deciding how breaches are handled. Brand preference doesn't need to be treated with the same level of security as financial records. The AAF believes some proposed laws aimed at securing data would do more harm than good.

For instance, marketers may keep track of grocery store purchases in order to provide a customer with coupons he or she is most likely to use. Many Web sites will track which links a user clicks on to gauge interest but does so anonymously. This information is used to target ads most likely to be of interest. The AAF believes improved enforcement of existing laws and regulations serves the public better than creating overreaching laws that may stymie innovation and cripple e-commerce.

Opposition
As a result of several high-profile data security breaches, privacy advocates have called for strict restrictions on data use and guidelines for responding to a breach. Criminal penalties have been proposed, not only for those responsible for the breach, but also for those found to have hidden the breach from the public.

Legislation
H.R. 4127: Data Accountability and Trust Act (DATA). Introduced by Rep. Cliff Sterns, R-Fla., October 25, 2005. This bill would require companies to report to consumers any breach of security concerning the consumer's personal information. H.R. 4127 was approved by the Energy and Commerce Committee on March 31, 2006.

S. 1408: Identity Theft Protection Act. Introduced by Sen. Gordon Smith, R-Ore., July 14, 2005. Reported out of the Judiciary Committee, this bill requires disclosure of any security breach of over 1,000 persons within 90 days of discovery and establishes procedures for doing so. It allows consumers to freeze their credit report if a breach is reported. The bill was reported on favorably by the Judiciary Committee, November 17, 2005, and has six co-sponsors.

S. 1789: Personal Data Privacy and Security Act of 2005. Introduced by Sen. Arlen Specter, R-Pa., September 29, 2005. This legislation requires companies that have more than 10,000 records to institute security policies and to provide notice of security breaches. Those responsible for the breaches, as well as companies that conceal the breaches, would face criminal penalties. S. 1789 was reported on favorably by the Judiciary Committee, November 17, 2005, and has six co-sponsors.

H.R. 3140: Consumer Data Security and Notification Act of 2005. Introduced by Rep. Melissa Bean, D-Ill., June 30, 2005. This bill would expand the protections for sensitive personal data to include third-party information brokers and enhance data security requirements for consumer reporting agencies. This bill has 16 co-sponsors, but no hearings have been held or scheduled.

H.R. 3374: Consumer Notification and Financial Data Protection Act of 2005. Introduced by Rep. Steven LaTourette, R-Ohio, July 21, 2005. This bill calls for notification to be sent to any consumer who may have had financial information compromised. This bill has one co-sponsor, but no hearings have been held or scheduled.

Updates
April 4, 2006:Prior to the passage of H.R. 4127, the AAF joined with several associations in a letter to Commerce Chairman Joe Barton, R-Texas, arguing that security breach notifications should occur only when there is a significant risk of identity theft. After markup, the current form of the bill could result in over-notification of consumers, especially when there is no significant risk of identity theft, resulting in disregard of important notices. May 25, 2006:H.R. 5318: Cyber-Security Enhancement and Consumer Data Protection Act of 2006. Introduced by Judiciary Chairman F. James Sensenbrenner, R-Wis., May 9, 2006. This bill would impose stricter law enforcement on data thieves, treating security breaches as a judiciary matter. The bill was approved by the House Judiciary Committee on May 25, but has not yet received a House vote.

June 4, 2006: Both H.R. 3997 and H.R. 4127 have passed the House.

Last updated: June 2006

Return to the Position Statements main page.