HR2221: Data Accountability and Trust Act

HR2221: Data Accountability and Trust Act

In light of the various ESP-related data breaches we've seen, exposing various email lists to spammers and the world over the past couple of years, it seems this is something the email service industry ought to be keeping an eye on. A friend tipped me that Bill HR2221, the Data Accountability and Trust Act, has passed the House and is now in a Senate subcommittee.

The bill seems to require everyone "engaged in interstate commerce" to establish security policies and procedures, and directs the FTC to promulgate regulations to that effect.  It "requires information brokers to: (1) establish procedures to verify the accuracy of collected information that specifically identifies individuals; (2) provide annually, and without cost, to individuals whose personal information it maintains a means to review it; (3) place a notice on the Internet instructing individuals how to request access to such information; (4) correct inaccurate information upon request; and (5) in the case of information brokers that do use data for marketing purposes, allow individuals to decide if their information can be used."

In the case of a data or security breach, it requires the breached entity to notify the FTC and all affected individuals, within 60 days of the breach. It also includes requirements for notifying credit reporting agencies and providing credit monitoring in some instances.

Read all about it here.
by
Labels
Al Iverson
I've lived in Chicago since 2006. I spend a lot of time in hotels. I spend the time catching up on emails, blogging, writing shell scripts, and solving complex email-related equations. The system says I've been a Blogger user since April 2006. Actually, most of my sites are far older -- spamresource.com in particular has been a dumping ground for my thoughts on spam going back to 2001. I've been doing the whole "blog thing" for years, before I knew to call it blogging. I'm a jazz fan and my favorite club in the world is the Artists' Quarter in St. Paul, Minnesota.
4 Comments

Comments

  1. Suresh Ramasubramanian10:42 PM, September 29, 2010

    Glad to see you liked it :)

    The compliance burden is going to be awesome in case there's a major data breach, but this is very customer friendly indeed.

    Good for the FTC. And for the consumers. Not so good for the CISOs

    ReplyDelete
  2. Al Iverson10:51 AM, September 30, 2010

    Thank you kindly for sharing it to the list. :)

    Working for an ESP, I do potentially freak out at the requirements for notification/credit monitoring after a breach. But, better to not have a breach at all, so it is potentially a good stick to nudge companies to get their PII handling practices in order.

    ReplyDelete
  3. Joe Sniderman10:32 PM, October 02, 2010

    Al:
    After having a peek at the bill, I'm a bit unclear how that would apply to ESPs in general.

    IANAL, but it looked to me as if based on how "personal information" is defined in section 5, that its targeting CRA's that also do marketing, rather than ESPs in general... unless of course "address" includes "email address."

    I surely hope ESPs don't keep lists of SSNs, DL #s, passport #s, etc or banking info of their clients' recipients..

    That being said, stolen email addresses pose more of a spam risk than an identity theft risk I'd think. So yeah ESP data breaches can be serious problem, but not sure how this particular bill would even partially address it.

    Am I making sense? Or am I missing the point (or part thereof) ?

    ReplyDelete
  4. Al Iverson2:12 PM, October 03, 2010

    I could always be wrong; we shall see. Here's a question: How does an ESP prohibit a client from storing such data in their account? I can tell them to prohibit it, but any programmatic monitoring will be imperfect (and would need to be built).

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.