NEWS RELEASE
Committee on Energy and Commerce
Joe Barton, Chairman / John D. Dingell, Ranking Member

Committee Releases Draft Bill to Fight Identity Theft

WASHINGTON – Bipartisan legislation drafted by the House Energy and Commerce Committee staff would offer consumers greater protection amid the growing misuse of personal information and impose new regulations on those possessing or trading the data.

The committee released the “discussion draft” today and the Subcommittee on Commerce, Trade and Consumer Protection will hold a hearing on the measure later this month. The panel has held two hearings this year on identity theft issues.

“I have been troubled by recent security breaches at companies in a range of industries from data brokers to retail outlets,” said committee Chairman Joe Barton, R-Texas. “Every day seems to bring some horror story about how identity thieves have raided or conned their way into an electronic storehouse that was supposed to be safe and secure. Identity theft is not much different than burglary, and more and more it looks like the crooks are walking into places where the doors and windows have been left open.”

“Widespread data breaches and identity thefts suggest that truly secure systems are the exception rather than the rule and that the crooks are many steps ahead of us,” said Congressman John D. Dingell, D-Mich., Ranking Member of the committee. “I intend to support tough legislation mandating enhanced security practices, and swift and strong punishment for those who violate the law and harm consumers. We owe it to the American public to pass legislation this year.”

Specifically the legislation:

• Directs the Federal Trade Commission (FTC) to promulgate rules requiring security for sensitive personal information and authorizes new funding to enforce them. The rules must include requirements for entities to:
  • Have a security policy, in addition to a statement about that policy with regard to the “collection, use, sale, other dissemination, and security” of the data they hold.
  • Appoint and identify a person in the organization responsible for information security.
  • Have a process for taking preventive and corrective action—including, but not limited to, encryption technologies—to solve any weaknesses in or problems with their security.
• Mandates timely notification – both written and electronic – of consumers nationwide in the event of a data breach that results in “a reasonable basis to conclude” that identity theft is a possibility. Clear notice on the breached entity’s website is also required. The FTC, and any financial institution whose issued accounts may be affected, must be notified as well.
• Following a breach and notice, the breached entity must provide at no cost to the individual a credit report from each of the major credit reporting agencies, and a 1-year subscription to a credit monitoring service.
• Information brokers must submit their security policies to the FTC for audit and approval on an annual basis. They are also required to provide upon request a free report annually on what information that company holds on that individual. The companies must also post prominent notice on their website informing consumers of this service, and explaining how they can take advantage of it.
• Creates a uniform national rule for data protection, preempting any state law that expressly regulates security breaches, and requires notification of such breaches.

# # #