I just learned that Congress recently passed the “Data Accountability and Trust Act” out of the House Committee on Energy and Commerce. The Act as drafted, requires so-called data brokers to formulate a security policy on how to handle sensitive consumer data. Also, according to the publication E-Week.Com,
If a breach occurs, the Federal Trade Commission or an independent auditor would review the broker’s security plan following a breach, and subsequently the FTC would be permitted to require audits for five years.
If there is a reasonable risk of ID theft, fraud or unlawful conduct as a result of a breach, the company would have to notify U.S. consumers whose data was acquired by an unauthorized person as a result of the breach. The company would also have to notify the FTC and post a notice on its Web site.
Preventing or minimizing identity theft has certainly been a goal in Congress and this legislation presents its most recent efforts to accomplish this goal.
I have some mixed emotions about this proposed legislation. On the one hand, I think some of the bill requirements are helpful and present some uniformity without becoming overly intrusive on private business. On the other hand, I am not sure that the protections written into the bill go far enough. For example, I did not see any discussion in the article about providing a private cause of action and remedy to consumers in case somebody steals their identity. Perhaps Congress should not get into the business of telling states what civil causes of action may ensure that consumers have private remedies available to them when business acted improperly and as a result, somebody stole their identity. Perhaps these private remedy issues are better left to our state legislatures. Along those lines, Arizona should step up to the plate and ensure that such a private remedy provides sufficient safeguards and incentives for business to protect sensitive data. In fact, in Arizona, our Consumer Fraud Act already provides some protection for victims if the attorney general has reason to believe a business or individual engaged in fraudulent activity. However, this consumer fraud legislation has been limited in recent years; private statutory remedies are almost non-existent for identity theft victims. In my opinion, the Arizona legislature should revise the Consumer Fraud Act, beginning at A.R.S. section 44-1521 and provide identity theft victims with real protection. Private civil remedies including the risk of punitive damages awards against identity theft perpetrators or facilitators provides tremendous incentive to business owners to keep confidential consumer data private. I only hope that members of the Arizona legislature agree.