Guest bloger Richard Hollis
Last week, the United States Congress, House of 
Representatives, passed the Data Accountability and Trust Act – H.R. 2221. The bill is now on its way to becoming Federal law. This is long awaited and very good news for consumers. It’s similar to the breach notification laws enacted by over 30 over the 50 states sparked by California mandating public disclosure of breaches back in 2003. Federal public disclosure laws were previously blocked under the Bush Administration. In essence it mandates that businesses publically disclose breaches of personal information in their possession.
The new law will formally define personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
• Social Security number, driver’s license number or other identification number
• Financial account number, or credit or debit card number and any required security code, access code, or password necessary to permit access to an individual’s financial account.
It formally establishes the Federal Trade Commission (FTC) as the oversight body and requires organisations holding data to implement a data protection policy and identify an information security officer. More importantly, the new law will direct that businesses in possession of personal data establish procedures for identifying security vulnerabilities in the networks that process this data and monitor for breaches. The FTC would also be tasked with posting breaches on their website.
The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are also required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. It doesn’t get any better than that.
The law will naturally result in a higher level of protection for personal data held by both public and private sector entities and establish the legal framework for consumer legal actions resulting from breaches. It will also add some degree of consistency for organizations establishing programs to protect personal data and simplify compliance.
Good news for consumers everywhere as US law has a way of affecting legislation worldwide.
by Richard Hollis December 16, 2009 – Orthus Ltd
