The Data Accountability and Trust Act, or DATA, is expected to be passed into law in 2011. If it is, it will mean several things about future data breaches, including whether or not you will get told if your information is lost. HR 2221 will be yet another identity theft law assigned to the FTC for enforcement.
Today there are 48 different data breach notification laws in almost every state, as well as national data privacy laws such as FACTA, HIPAA, COPPA, etc. If a company does business in different states, they will usually notify every state, even if their clients were not affected there. DATA would supersede the state laws, to provide one standard across the board.
The Effects of DATA
There seems to be some debate about how DATA will affect notification. In an interview early in 2010, David Navetta (Founding Parter, Information Law Group) felt a specific clause, called a “Risk of Harm” provision, will most likely allow some breaches to go unreported that might be reported now. And there is a price tag involved with data breaches buried in DATA, so companies will be paying closer attention to whether or not they have to tell you.
Under DATA, companies will be required to notify you if the data breach is big enough. They will have to tell you within 60 days, and must let you know what information specifically has been compromised. When I got my letter from the VA breach, all they said was watch out; a friend of mine that his letter far earlier, and they provided him with free credit monitoring for a year, representing a change in how they chose to address the issue.
They will also have to report it to the credit bureaus if more than 5,000 accounts are compromised. There are even provisions for third parties who maintain information for other companies. All told, the notification terms of DATA seem to go the way of the consumer.
Companies that lose your information will be required to provide two years of credit monitoring, as well as a toll free number you can call to get more information about the data breach. Although the 800 number is a good idea, most identity theft experts agree credit monitoring is insufficient protection against identity theft. Credit monitoring is like a smoke detector, it will tell you there’s a problem, but it does not help you.
The Fines of DATA
Just like every other identity theft law, DATA includes penalties for companies who do not comply. Penalties like $11,000 per person not notified if there is a breach that falls under DATA guidelines. But this clause seems a little confusing, since there is a five million dollar cap on fines under DATA. This covers roughly 500 people, 10% of the requirement for reporting a breach to credit reporting authorities (Experian, etc.)
Of course, businesses will have other financial considerations, too, since the cost of setting up the 800 number and paying for credit monitoring for two years for each affected individual does not come cheap. If a company is looking at the cost of a business identity theft or data breach, this will have to be lumped in with the fines. Then they will have to calculate how much of their employees time will be consumed dealing with the issue, and trying to gauge how much business will be lost due to loss of public trust.
In the end, businesses will doubtless opt to encrypt their data. This will circumvent 99% of all notification requirements, as long as the encryption key has not been lost.
However, even when DATA is enacted, you will still want to keep an eye on protecting yourself from identity theft. After all, data breach is only one of the ways you can become a victim of identity theft. And of the 7 types of identity theft , DATA seems to be focused on financial identity theft only… but the jury’s still out on that.