Lance Bellers - Fotolia

Get started Bring yourself up to speed with our introductory content.

What happens if the Data Accountability and Trust Act becomes a law?

The Data Accountability and Trust Act is likely to become a law this year. Expert Mike Chapple advises organizations on how to prepare.

A federal data breach notification bill was recently introduced in Congress. How should organizations prepare in advance for the likelihood that the bill becomes a law later this year? Are there any potential changes or steps in the bill that enterprises could get ahead on?

The Data Accountability and Trust Act (DATA) is a piece of proposed federal legislation with a six-year history. It resurfaced in early 2015 with initiatives in the Senate and the U.S. House to pass federal legislation. It's far from certain whether the bills will become law and the final language of any bill must be reconciled by Congress. That said, organizations seeking to prepare for this new regulatory requirement may wish to assess their current privacy practices.

Generally speaking, the proposals require organizations to secure personal information and notify individuals in the event of a security breach. The categories of personal information under consideration include:

  • Social Security numbers (unless truncated);
  • License numbers, passport numbers, alien registration numbers;
  • Other government-issued unique identification numbers;
  • Biometric data including fingerprints, voiceprints, retina and iris images;
  • Financial account numbers, including credit card numbers;
  • Usernames and passwords to online accounts; and
  • Name combined with at least two of the following: home address/telephone number, mother's maiden name, birth date.

Most organizations already have information security and data breach notification policies in place due to existing state requirements. If your organization already has such a policy, now would be a good time to review it and ensure that you have a complete inventory of sensitive information. You may also wish to document the security controls around such information in anticipation of new regulatory requirements.

If Congress passes the Data Accountability and Trust Act, it will likely assign enforcement responsibility to the Federal Trade Commission (FTC) and grant that agency authority to promulgate security standards and assess fines for noncompliance. The good news is that new FTC regulations will likely go through a lengthy federal rule-making process and will not become enforceable for at least a year.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn what your legal notification obligations are in case of a cloud data breach and the difference between international data privacy laws and the Patriot Act

This was last published in August 2015

Dig Deeper on Information security laws, investigations and ethics