A long-awaited bill has finally been introduced by Rep. Bobby L. Rush [D-IL-1] relating to information brokers and security breaches. The 38-page HR 1707, the “Data Accountability and Trust Act” introduced May 4 pertains to information brokers and is cosponsored by Rep. Joe Barton [R-TX-1] and Rep. Janice D. Schakowsky [D-IL-9]. All three sponsors are members of the House Committee on Energy and Commerce to which this bill has been referred.
Some of the pertinent areas of the bill which ISPLA has concerns are contained in portions of the language which follows:
(b) Special Requirements for Information Brokers-
(1) SUBMISSION OF POLICIES TO THE FTC- The regulations promulgated under subsection (a) shall require each information broker to submit its security policies to the Commission in conjunction with a notification of a breach of security under section 3 or upon request of the Commission.
(2) POST-BREACH AUDIT- For any information broker required to provide notification under section 3, the Commission may conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker’s security practices during the preceding 5 years).
(3) ACCURACY OF AND INDIVIDUAL ACCESS TO PERSONAL INFORMATION-
(i) IN GENERAL- Each information broker shall establish reasonable procedures to assure the maximum possible accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles, or maintains that specifically identifies an individual, other than information which merely identifies an individual’s name or address.
(ii) LIMITED EXCEPTION FOR FRAUD DATABASES- The requirement in clause (i) shall not prevent the collection or maintenance of information that may be inaccurate with respect to a particular individual when that information is being collected or maintained solely–
(I) for the purpose of indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual; and
(II) to help identify, or authenticate the identity of, an individual, or to protect against or investigate fraud or other unlawful conduct.
(B) CONSUMER ACCESS TO INFORMATION-
(i) ACCESS- Each information broker shall–
(I) provide to each individual whose personal information it maintains, at the individual’s request at least 1 time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review any personal information regarding such individual maintained by the information broker and any other information maintained by the information broker that specifically identifies such individual, other than information which merely identifies an individual’s name or address; and
(II) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under subclause (I), and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes under clause (iii).
(ii) DISPUTED INFORMATION- Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, shall–
(I) correct any inaccuracy; or
(II)(aa) in the case of information that is public record information, inform the individual of the source of the information, and, if reasonably available, where a request for correction may be directed and, if the individual provides proof that the public record has been corrected or that the information broker was reporting the information incorrectly, correct the inaccuracy in the information broker’s records; or
(bb) in the case of information that is non-public information, note the information that is disputed, including the individual’s statement disputing such information, and take reasonable steps to independently verify such information under the procedures outlined in subparagraph (A) if such information can be independently verified.
(iii) ALTERNATIVE PROCEDURE FOR CERTAIN MARKETING INFORMATION- In accordance with regulations issued under clause (v), an information broker that maintains any information described in clause (i) which is used, shared, or sold by such information broker for marketing purposes, may, in lieu of complying with the access and dispute requirements set forth in clauses (i) and (ii), provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual’s information for marketing purposes.
(iv) LIMITATIONS- An information broker may limit the access to information required under clause (i)(I) and is not required to provide notice to individuals as required under clause (i)(II) in the following circumstances:
(I) If access of the individual to the information is limited by law or legally recognized privilege.
(II) If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access.
(III) If the information consists of a published media record, unless that record has been included in a report about an individual shared with a third party.
(v) RULEMAKING- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to carry out this paragraph and to facilitate the purposes of this Act. In addition, the Commission shall issue regulations, as necessary, under section 553 of title 5, United States Code, on the scope of the application of the limitations in clause (iv), including any additional circumstances in which an information broker may limit access to information under such clause that the Commission determines to be appropriate.
(C) FCRA REGULATED PERSONS- Any information broker who is engaged in activities subject to the Fair Credit Reporting Act and who is in compliance with sections 609, 610, and 611 of such Act (15 U.S.C. 1681g; 1681h; 1681i) with respect to information subject to such Act, shall be deemed to be in compliance with this paragraph with respect to such information.
(4) REQUIREMENT OF AUDIT LOG OF ACCESSED AND TRANSMITTED INFORMATION- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require information brokers to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker.
(5) PROHIBITION ON PRETEXTING BY INFORMATION BROKERS-
(A) PROHIBITION ON OBTAINING PERSONAL INFORMATION BY FALSE PRETENSES- It shall be unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by–
(i) making a false, fictitious, or fraudulent statement or representation to any person; or
(ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.
(B) PROHIBITION ON SOLICITATION TO OBTAIN PERSONAL INFORMATION UNDER FALSE PRETENSES- It shall be unlawful for an information broker to request a person to obtain personal information or any other information relating to any other person, if the information broker knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subparagraph (A).
(c) Exemption for Certain Service Providers- Nothing in this section shall apply to a service provider for any electronic communication by a third party that is transmitted, routed, or stored in intermediate or transient storage by such service provider.
In this Act, the following definitions apply:
(1) BREACH OF SECURITY- The term `breach of security’ means unauthorized access to or acquisition of data in electronic form containing personal information.
(2) COMMISSION- The term `Commission’ means the Federal Trade Commission.
(3) DATA IN ELECTRONIC FORM- The term `data in electronic form’ means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
(4) ENCRYPTION- The term `encryption’ means the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.
(5) IDENTITY THEFT- The term `identity theft’ means the unauthorized use of another person’s personal information for the purpose of engaging in commercial transactions under the name of such other person.
(6) INFORMATION BROKER- The term `information broker’–
(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any non-affiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and
(B) does not include a commercial entity to the extent that such entity processes information collected by and received from a non-affiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers.
(7) PERSONAL INFORMATION-
(A) DEFINITION- The term `personal information’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
(B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule promulgated under section 553 of title 5, United States Code, modify the definition of `personal information’ under subparagraph (A)–
(i) for the purpose of section 2 to the extent that such modification will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act; or
(ii) for the purpose of section 3, to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.
(8) PUBLIC RECORD INFORMATION- The term `public record information’ means information about an individual which has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.
(9) NON-PUBLIC INFORMATION- The term `non-public information’ means information about an individual that is of a private nature and neither available to the general public nor obtained from a public record.
(10) SERVICE PROVIDER- The term `service provider’ means an entity that provides to a user transmission, routing, intermediate and transient storage, or connections to its system or network, for electronic communications, between or among points specified by such user of material of the user’s choosing, without modification to the content of the material as sent or received. Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage or connections.
Although HR 1707 would preempt state information security laws, there are still avenues for State attorneys general to direct their activity, such as consumer protection laws. ISPLA will be working to insure that the activities of investigators do not fall under the definition of an information broker under the provision in this proposed legislation. ISPLA is carefully reviewing all aspects of this bill and will keep you apprised of further developments and our ongoing lobbying work in Washington, DC.
ISPLA Director of Government Affairs
To join us and support our proactive efforts please visit www.ISPLA.org We do much more than just keeping the profession informed!