Federal Data Breach Bill (H.R. 2221) Passes House

2009-12-09 by d2d House

Yesterday, for the first time ever, a data breach notification bill actually came to a vote in the United States Congress. The House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill and others have been introduced many times over the past several sessions of Congress, but unlike other similar bills and this bills' predecessors, H.R. 2221 not only came out of committee, but was voted on and passed.

This bill is similar in nature to multiple state breach notification laws that have already been passed. Here are some highlights:

H.R. 2221 defines personal information as, "an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

  • (i) Social Security number
  • (ii) Driver's license number or other State identification number
  • (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account."

Some more details include:

  • The Federal Trade Commission would be the responsible agency.
  • The FTC would ultimately define the proper technical procedures for protecting data.
  • Organizations that have data need to establish a data security policy.
  • Organizations must identify an information security officer.
  • Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
  • Organizations need a process for securely destroying data that is no longer required.
  • Breaches need to be reported to the consumers affected, and the FTC, unless:
    • "there is no reasonable risk of identity theft, fraud, or other unlawful conduct.", which will be defined by the FTC should the bill pass.
    • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The jurisdiction point is significant. The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities. These limitations seem significant.

The bill has some more stringent requirements for "data brokers", including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an encryption exemption (in addition to whatever exemptions the FTC will define) should the bill become law. The FTC would also be tasked with posting breaches on their website if the commission deems it in the public interest on a case-by-case basis.

There are several other interesting subtleties in this bill, and we encourage anyone interested to read the bill themselves. The law has some gaping holes, such as FTC jurisdiction, and may preempt stronger state laws. On the flip side, it would certainly add some degree of consistency for organizations experiencing breaches, and would simplify compliance as a result. It also would provide notification for consumers in states without breach notification laws. For these reasons and many more, it behooves everyone to familiarize yourselves with this particular proposed legislation.

Updated (12-10-2009): See Incidents that may have been exempt from this bill were it law at the time of the incidents.

Finally, below is a clip of the bill being explained in the House, and subsequently passing by voice vote:


by Anonymous on 2009-12-10 (over 4 years ago)

On the whole, this is a major step forward. We all expected federal pre-emption would occur, but the timing is what's surprising -- namely how long it's taken to get something through even to this point in the legislative process.

I'm at a bit of a loss regarding how some of the largest and most notorious "losers of data" (e.g., government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities) are going to be regulated, and by whom. As d2d posts above, this seems, as is, significant.

Sean Steele, CISSP, CISA
Washington, DC

by d2d [Data Loss Maven] on 2009-12-10 (over 4 years ago)

For some perspective, this law would exempt due to jurisdiction potentially half of all data breaches to date.


The above search does not include, for instance, insurance.

Seems a bit, silly...

by Anonymous on 2009-12-10 (over 4 years ago)

From a political perspective, this is easy to understand. It is likely that the myriad of regulators covering (say) financial institutions will undergo a serious overhaul in the near future, so why hitch your wagon to a horse that is about to shapeshift into something you might not like?

by d2d [Data Loss Maven] on 2009-12-10 (over 4 years ago)

No doubt about it, but seems like hitching the wagon to a bunny rabbit won't accomplish much either, no? I suppose its better than nothing, but given the speed with which legislation is changed, I'm still somewhat concerned.

by Anonymous on 2009-12-10 (over 4 years ago)

One other hole - breach of security is defined as "the unauthorized access to or acquisition of data IN ELECTRONIC FORM form containing personal information." (emphasis added) Looks to me like being the victim of dumpster diving or someone walking off with a bunch of paper files is not a security breach as defined here, and is not subject to notification. Doesn't anyone kick it old school any more?

by Anonymous on 2009-12-11 (over 4 years ago)

If this is passed, will it require universities to comply? If so, who is the enforcing agency?

by Anonymous on 2009-12-11 (over 4 years ago)

"The FTC would ultimately define the proper technical procedures for protecting data."

So... government know-nothing assclowns are going to start dictating to business the procedures for securing data? That's going to work out *great*, especially considering they can't secure their own sensitive data from a 5 year old with a text editor:


The geniuses in congress never cease to find new ways to screw things up.

by Anonymous on 2009-12-13 (over 4 years ago)

"Individuals" are not companies.

California law protects companies as well as individuals, such as breaches that make off with lots of money in their bank accounts.

Comment by Al Macintyre.

by Anonymous on 2009-12-13 (over 4 years ago)

I suggest link to this page be included with mention of HR 2221 on page:


Al Macintyre

New Comment

Are you human?

Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.