U.S. House of Representatives confirms encryption as the best safeguard to protect sensitive data
The Energy and Commerce Committee of the U.S. House of Representatives unanimously approved The Data Accountability and Trust Act (H.R. 4127), a bill that requires companies to launch nationwide notification campaigns if the security of sensitive consumer information, such as Social Security Numbers, drivers license numbers or financial data, is breached and could be used for identity theft. This act recognizes data encryption as an essential, underlying security technology that provides organizations with “safe harbor” in the event of a security breach. It states that encrypted electronic data is “presumed” secure and that businesses that employ encryption technology are exempted from the nationwide notification requirement.
The act affects any person or business “involved in interstate commerce that owns or possesses [sensitive data in electronic form.” Upon discovering a breach in the security of sensitive data, these businesses are required to implement a nationwide notification program, informing each individual whose data may have been compromised. In addition, the bill calls for notification of the Federal Trade Commission, placement of website or Internet notice and notification to any financial institutions that may be affected.
However, the act also says that the “encryption of (sensitive) data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption” that there is no “significant risk of identity theft to the individual to whom the personal information relates.” This means businesses that utilize encryption would be exempted from the required notifications.
The act gives the FTC enforcement powers and allocates $1 million a year to fund enforcement activities. If passed, the bill would take effect in approximately one year. The full text of the bill is available at:
http://thomas.loc.gov/cgi-bin/bdquery/z?d109:H.R.4127: