> Data Destruction Topics > Media Sanitization Scenarios
Data Accountability & Trust Act [DATA] (HR 2221)
STATUS: Passed by U.S. House of
Representatives December 2009 /
Dec 9, 2009: Received in the Senate
and Read twice / referred to the
Committee on Commerce, Science,
and Transportation.
FULL NAME: Data Accountability & Trust Act
TARGET: Data brokers, defined by the Act as
entities primarily engaged in the
collection of personal data for more
than 5,000 individuals for a fee and
transmission of that data through
interstate commerce to third parties.
However, if the FTC remains the
primary agency, organizations not
under FTC jurisdiction (banks, savings
and loans airlines and railroads) will be
exempt.
DESCRIPTION: The Act (along with the similar S1490) is intended to create a DATA (HR2221)
nationwide set of regulations for Data Brokers, enforced by a new set of federal
crimes and penalties for violations. It would establish a uniform set of regulations
to govern the collection of and protection of consumer’s Personally Identifiable
Information (PII), as well as regulations governing notification of security breaches
involving PII. Specific to our interests, it directs the FTC to specify processes for
disposing of obsolete electronic and non-electronic data containing PII.
Personal information is defined as an individual’s first name or initial and last name,
or address, or phone number, in combination with any one or more key elements
such as Social Security number, driver’s license number or other State identification
number, financial account number, or credit or debit card number, and any required
security code, access code, or password that is necessary to permit access to an
individual’s financial account.
This bill is purposely consistent in intent and language to forty-six existing state
data breach notification laws and also to pending Senate bill S.1490. One of the
intentions of HR1666 is to pre-empt state laws already passed, theoretically
establishing a uniform regulatory climate. Both H.R.2221 and S.1490 would
create a regulatory standard to regulate the collection, storage and disposal of
consumer PII.
DATA SECURITY FACTORS:: The Federal Trade Commission (FTC) is emerging
as the principle enforcement agency responsible for defining proper technical
procedures for protecting data. Among the requirements set forth by the Act,
organizations holding private data must establish a data security policy,
identify an information security officer and set up a process for identifying
vulnerabilities. This is the key component in virtually all recent data privacy
protection legislation. Organizations must also monitor for breaches and
establish processes for securely destroying end-of-service data on hard
drives and other electronic media.
The Act deems an information broker to be in compliance with the relevant
provisions of this Act if the broker is in compliance with any other federal
information security statutes that specify similar or greater protections than
those required under this H.R. 2221.
ENFORCEMENT / PENALTIES: DATA H.R. 2221 specifies civil penalties for violations of requirements for information security. Organizations can be fined
for not establishing data security policies or naming a data security officer. The
law provides for penalties up to $11,000 a day for each day the organization
is out of compliance. Specific penalties for data breaches are calculated as
follows: multiplying the number of violations of each section by an amount
not greater than $11,000. Each failure can be treated as a separate violation.
The maximum civil penalty calculated under this clause shall not exceed
$5,000,000.
States Attorneys for individual states may initiate enforcement following data
breaches, with additional enforcement or intervention by the FTC possible.
Complete listing and links for data security regulations and legislation.
