With four separate national data security breach notification bills being drafted in Washington, the Direct Marketing Association says the odds are “much higher” that one of them will pass by the end of the year.
But for now, DMA senior vice president of government affairs Jerry Cerasale says the association is concerned about the verbiage in the bills being drawn up in the Senate Judiciary Committee, the Senate Commerce Committee, the House Financial Services Committee, and the House Energy and Commerce Committee, as well as what should be considered “sensitive data.”
Cerasale discussed this topic during a March 2 briefing with the DMA’s List and Database Council. He said the DMA is working with each committee to define several steps, including what would trigger the need to notify consumers of a breach, what combination of leaked information would constitute a breach, and if consumers should have the right to access and correct their own breached information.
Three of the four bills state that sensitive data include such basic information as name, address, and e-mail address when coupled with one of the following types of data: social security number, driver’s license number, or any financial account number. The fourth bill, by the Senate Judiciary Committee, includes mother’s maiden name, exact date of birth, and miscellaneous government-issued documents, such as a hunting license, as types of data that could be considered sensitive.
Regarding what should trigger the need to notify consumers that their security has been breached, all four bills would make it mandatory if there is a “significant risk.” But none of the bills have defined that term. Though the House Energy and Commerce Committee is considering a terminology change from “significant” to “reasonable,” it has not defined the difference.
“‘Reasonable’ is a lighter trigger, and it is still something we are looking into,” Cerasale said. “The next step is to ask the committees what these terms mean, and when that means we would have to notify these consumers.”
Also at issue: the definition of an information broker, which is part of the Senate Judiciary Committee, Senate Commerce Committee, and House Energy and Commerce Committee bills. They define an information broker as “a person who rents, sells, exchanges, etc. personal information to a third party on noncustomers,” Cerasale said, adding that the term “broker” is important in these bills only because of access rights by consumers. For example, the House Energy and Commerce Committee bill would allow consumers whom have been victimized the right to access and correct any breached data.
Access and correction rights are something the DMA wants removed from the bill, Cerasale said. For one thing, it would be expensive for list brokers and compilers to set up procedures enabling consumers to access and correct data. For another, the same hackers who caused the breach could also change the data. What’s more, information management solution providers such as Experian and Acxiom have been explaining their current antifraud procedures to Congress with hopes those measures will be included in the bills.
“We will have a major fight [with the House Energy and Commerce Committee] on the access and correction rights,” Cerasale predicted.