Statement of Congressman John D. Dingell, Ranking Member
Committee on Energy and Commerce

SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION MARKUP OF H.R. 4127, THE DATA ACCOUNTABILITY AND TRUST ACT (DATA)

November 3, 2005

Thank you, Chairman Stearns, for scheduling today’s markup. Regular order isn’t always observed in this Committee these days, and I have to speak favorably when it is.

Five months ago, a bipartisan Committee staff team was directed by the leadership of the Committee and the Subcommittee to draft legislation to address a very serious problem: widespread security-system breaches that exposed the sensitive personal information of millions of Americans to acquisition by unauthorized persons, resulting in identity theft and other harm.

All reports were that they were making good progress, and I had expected to be an original cosponsor of the resulting legislation. I had also anticipated sitting here today praising that bill.

But a funny thing happened on the way to this markup. The Subcommittee chairman decided to cut off the staff negotiations, and introduce the September 15 staff draft with Republican cosponsors only. While it is the prerogative of the chair to do so, this is a most regrettable procedural affront to the Democratic Members of the Subcommittee.

As for the substance, this bill does a lot of good. It requires all entities that hold personal information to establish and maintain security policies to prevent unauthorized acquisition of that data. Special requirements are imposed on data brokers like ChoicePoint and I support them.

The bill also purports to require nationwide notice to consumers in the event of a security breach. But the nationwide notice provisions of H.R. 4127 are actually “no notice” provisions. The bill requires notice only if the breached entity concludes that there is “a significant risk of identity theft” and identity theft is narrowly defined as “assuming another person’s identity for the purpose of engaging in commercial transactions.” Experts tell us that no notices would have gone out this year under this standard. Why bother to pass a bill at all if this is what we propose to do to the American public?

 I also cannot support preemption of stronger State laws, which is what this bill mandates. If we are not prepared to provide our constituents with adequate Federal protections, we have no business putting the States out of the business of doing the right thing. Further, the bill does not authorize State Attorneys General to enforce the DATA Act, leaving the understaffed Federal Trade Commission as the sole line of defense.

I observe that the Manager’s amendment, which will be offered today, would make a number of positive changes to the bill that Democrats requested. I thank you for that. But it does not fix the serious problems with the breach notification trigger or lack of AG enforcement. It also deletes an important consumer protection: the provision allowing consumers to review the personal information maintained on them by data brokers, and to have disputed information identified and noted. I find this change most curious indeed.

This bill is worse than the status quo and undermines what the States have worked so hard to achieve. I intend to support the amendments that will be offered today by Democrats to improve this legislation. If the amendments fail, I will vote against reporting this bill to the Full Committee.

- 30 -

(Contact: Jodi Seth, 202-225-3641)