HR2221: Data Accountability and Trust Act

In light of the various ESP-related data breaches we've seen, exposing various email lists to spammers and the world over the past couple of years, it seems this is something the email service industry ought to be keeping an eye on. A friend tipped me that Bill HR2221, the Data Accountability and Trust Act, has passed the House and is now in a Senate subcommittee.

The bill seems to require everyone "engaged in interstate commerce" to establish security policies and procedures, and directs the FTC to promulgate regulations to that effect.  It "requires information brokers to: (1) establish procedures to verify the accuracy of collected information that specifically identifies individuals; (2) provide annually, and without cost, to individuals whose personal information it maintains a means to review it; (3) place a notice on the Internet instructing individuals how to request access to such information; (4) correct inaccurate information upon request; and (5) in the case of information brokers that do use data for marketing purposes, allow individuals to decide if their information can be used."

In the case of a data or security breach, it requires the breached entity to notify the FTC and all affected individuals, within 60 days of the breach. It also includes requirements for notifying credit reporting agencies and providing credit monitoring in some instances.

Read all about it here.


  1. Glad to see you liked it :)

    The compliance burden is going to be awesome in case there's a major data breach, but this is very customer friendly indeed.

    Good for the FTC. And for the consumers. Not so good for the CISOs

  2. Thank you kindly for sharing it to the list. :)

    Working for an ESP, I do potentially freak out at the requirements for notification/credit monitoring after a breach. But, better to not have a breach at all, so it is potentially a good stick to nudge companies to get their PII handling practices in order.

  3. Al:
    After having a peek at the bill, I'm a bit unclear how that would apply to ESPs in general.

    IANAL, but it looked to me as if based on how "personal information" is defined in section 5, that its targeting CRA's that also do marketing, rather than ESPs in general... unless of course "address" includes "email address."

    I surely hope ESPs don't keep lists of SSNs, DL #s, passport #s, etc or banking info of their clients' recipients..

    That being said, stolen email addresses pose more of a spam risk than an identity theft risk I'd think. So yeah ESP data breaches can be serious problem, but not sure how this particular bill would even partially address it.

    Am I making sense? Or am I missing the point (or part thereof) ?

  4. I could always be wrong; we shall see. Here's a question: How does an ESP prohibit a client from storing such data in their account? I can tell them to prohibit it, but any programmatic monitoring will be imperfect (and would need to be built).


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.