Rush opening statement for Energy and Commerce Committee;

WASHINGTON -- "Today, the Committee on Energy and Commerce is considering three bills for mark-up, two of which were voted favorably out of the Subcommittee on Commerce, Trade and Consumer Protection on June 3, 2009. Each of these bills has been improved since subcommittee markup and introduction to better protect consumers, while ensuring that industry is not excessively regulated.

"Chairman Waxman's Manager's Amendment makes several changes to H.R. 2221 and to H.R. 1319 in the nature of a substitute. The first bill we will take up is H.R. 2221, the Data Accountability and Trust Act. This new bill addresses data breaches by requiring entities holding personal information to adopt reasonable and appropriate security measures to protect that information, and for those covered entities to notify affected consumers in the event of a breach barring any "reasonable risk of identity theft, fraud, or other unlawful conduct."

"First, the Manager's Amendment makes several deletions to requirements contained in the original bill.  Specifically, the FTC would no longer be required to make additional findings in association with its rulemaking authority to prescribe standards for destroying paper documents containing personal information.

"Second, the Amendment clarifies that Congress shall deem that covered entities - which are subject to more strict or "substantially similar" Federal data security statutes such as the Gramm-Leach-Bliley Act's Safeguards Rule and the Health Insurance Portability and Accountability Act - are in compliance with the amended bill's data protection and notification safeguards.

"Third, the Amendment clarifies that an exemption for fraud databases will be extended to data brokers. It also permits consumers to prohibit the use of their personal information for marketing purposes in select circumstances in lieu of access and dispute resolution.

"Fourth, the Amendment would now impose, on covered entities, a 60-day consumer notification requirement following the discovery of a breach, absent extraordinary circumstances.

"Fifth, the Amendment expands consumers' options for redress in the event of a breach by affording consumers free credit monitoring or other services to detect misuse of personal information, as an alternative to free credit reports.

"Sixth, the Amendment vests authority in the FTC to determine, over time, which security technologies and methodologies would entitle covered entities using said technologies and methodologies to a rebuttable presumption, exempting them from the Section 3 requirement to provide notification to consumers in the event of a breach. If the FTC or the States attorneys general can show, however, that notwithstanding the adoption of such technologies there still is a "reasonable risk of identity theft, fraud, or other unlawful conduct" following the data security breach, then the rebuttable presumption would fail.

"Seventh, the Amendment clarifies that H.R. 2221 applies only to commercial entities that are subject to FTC jurisdiction and that the civil penalties cap relating to State enforcement could not exceed $5 million per discrete violation.

"Eighth, the Amendment pre-empts State data security and breach notification laws.
"Finally, the Amendment adds a new definition term in Section 6 of the bill for "service provider." It is important in that entities fitting under the definition would be exempt from the bill's Section 2 security practices and policy requirements, and from Section 3 consumer notification requirements. A "service provider" is defined as "an entity that [merely] provides to a user transmission, routing, intermediate and transient storage, or connections to its system or network."
  
# # #