d. The Financial Data Protection Act.
The proposed Financial Data Protection Act (FDPA) was introduced on October 6, 2005 by Representative Steven LaTourette [R-OH] and 14 co-sponsors.13 This bill has not made it out of the House committee. Most bills do not progress from committee to the entire House. If passed, this legislation would also completely preempt all state security breach notification laws.

The FDPA would amend the Fair Credit Reporting Act. The FDPA requires consumer reporters to investigate potential breaches of sensitive personal information. Consumer reporter is defined as “any consumer reporting agency or financial institution, or any person which, for monetary fees, dues, on a cooperative nonprofit basis, or otherwise regularly engages in whole or in part in the practice of assembling or evaluating consumer reports, consumer credit information, or other information on consumers.” Sensitive financial personal information includes a financial account number combined with an access, security, or biometric code or other password or personal identification information. It also includes the first and last name, address or telephone number, and any either a social security number, driver’s license or identification number, or taxpayer identification number.

If the breach may result in substantial harm or inconvenience to any consumer to whom the information relates, the consumer reporter must promptly notify:

• the Secret Service;
• the appropriate regulatory agency;
• any entity that owns or is obligated on a financial account that may be subject to unauthorized transactions as a result of the breach;
• if the breach involves 1,000 or more consumers, each nationwide consumer reporting agency ; and
• any appropriate critical third party.

Consumer reporters must also provide notice to consumers if there is a breach that results in a reasonable probability that personal information may be misused. This notice must be made without unreasonable delay. If requested, the consumer reporter must make free credit monitoring services available to consumers for six months. Consumer reporters may delay notice if notice would impede a current civil or criminal investigation. The functional regulatory agencies would be responsible for enforcement of the FDPA.

e. The Data Accountability and Trust Act.
The proposed Data Accountability and Trust Act (DATA) was introduced on October 26, 2005 by Representative Clifford Stearns [R-FL] and 8
co-sponsors.14 It also has not progressed from the committee and would preempt state law.

The DATA would require any person engaged in interstate  commerce  to  (1)  report  a  breach  of

security to every individual whose personal information was acquired by an unauthorized source, (2) to notify the FTC, (3) to place a conspicuous notice on the Internet website of the person, and (4) if the breach involves financial account information, to notify the financial institution that issued the account. Notification must be made as promptly as possible and without unreasonable delay. Persons could notify individuals of the breach in writing or via electronic mail, and the proposed law would also allow substitute notification if certain criteria were met.

For purposes of the DATA, personal information includes an individual’s first and last name and any one of the following:

• social security number;
• driver’s license number or other state identification number; or
• financial account number, credit card number, debit card number, and any required security code, access code, or password.

This proposed legislation would require each person providing notification to individuals to also provide a free copy of the individuals’ credit report from at least one major credit reporting agency.

The FTC would enforce violations of the DATA. Although the bill would preempt state notification laws, it specifically excludes from preemption actions based on state trespass, contract, and tort laws as well as other state laws relating to acts of fraud. In other words, if this legislation were enacted, individuals might be able to seek redress under state law for injuries resulting from unauthorized disclosure of their personal information.

III. The New Standard of Care – How to Avoid Liability

Security breaches can be costly. In the past several months, the FTC has investigated and sanctioned several companies for lapses in security involving customer information. For instance, Superior Mortgage Company was accused of misrepresentation by the FTC because it claimed its data was encrypted, but the information was decrypted before it was transmitted via electronic mail to its headquarters.15 Superior Mortgage agreed to refrain from making misrepresentations and submitted to FTC monitoring for 10 years. DSW was sanctioned for storing unencrypted files that were easily accessed using a commonly known user name and password. DSW agreed to implement comprehensive security measures and submit to FTC compliance monitoring for 20 years.16 ChoicePoint agreed to pay the $15 million in fines and restitution and allow 20 years of monitoring after it provided sensitive personal information continued, page 6 »