House Commerce Subcommittee Marks Up Data Accountability and Trust Act

June 3, 2009. The House Commerce Committee's (HCC) Subcommittee on Commerce, Trade, and Consumer Protection amended and approved HR 2221 [LOC | WW], the "Data Accountability and Trust Act".

It approved by voice vote an amendment in the nature of a substitute [35 pages in PDF].

Rep. Bobby Rush (D-IL), the Subcommittee Chairman, introduced this bill on April 30, 2009. He stated at the mark up that this bill is a "work in progress" and that further changes will be made before the full Committee mark up. He also promised to work in a "cooperative and deliberative manner" with Committee Republicans. See also, opening statement read by Rep. Rush at the beginning of the mark up.

This bill has bipartisan support. Its original cosponsors also include Rep. Cliff Stearns (R-FL), Rep. Joe Barton (R-TX), and Rep. George Radanovich (R-CA). Rep. Stearns, a former Chairman of this Subcommittee, introduced predecessor legislation in the 109th Congress.

This Subcommittee held a hearing on HR 2221 and HR 1319, the "Informed P2P User Act", on May 5, 2009. See, prepared testimony of witnesses: Eileen Harrington (Federal Trade Commission), David Sohn (Center for Democracy and Technology), Robert Holleyman (Business Software Alliance), Martin Lafferty (Distributed Computing Industry Association), Stuart Pratt (Consumer Data Industry Association), Marc Rotenberg (Electronic Privacy Information Center), Robert Boback (Tiversa, Inc.), and Thomas Sydnor (Progress & Freedom Foundation).

The bill contains a federal data breach notification requirement, preempts certain state laws, and requires companies and persons that hold data with personal information to develop security measures.

Section 2 of the bill (amendment approved on June 3) pertains to data security. It requires the FTC to write rules that "require each person engaged in interstate commerce that owns or possesses data containing personal information, or contracts to have any third party entity maintain such data for such person, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information ..."

Section 3 of the bill establishes a national data breach notification requirement.

It provides that "Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data ... notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security" and notify the FTC.

Section 4 of the bill gives the FTC civil enforcement authority. It shall treat violations of Sections 2 and 3 as an unfair and deceptive act or practice. The bill also gives civil enforcement authority to state attorneys general, and sets limits on civil penalties.

Section 5 of the bill contains definitions.

Section 6 preempts certain state laws. It provides that "This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly (1) requires information security practices and treatment of data containing personal information similar to any of those required under section 2; and (2) requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information."

Moreover, it provides that "No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act."

However, this bill does not preempt state consumer protection, trespass, contract, tort or fraud laws.