The Direct Marketing Association has again called for legislation that would create a national standard for notifying consumers in the event of the loss or theft of personal data without impeding the legitimate exchange of data necessary for electronic commerce.
The Senate Committee on Commerce, Science and Transportation is expected to introduce a data security bill in the next two weeks. In a letter sent last week to committee leaders the DMA outlined the principles it supports for any data security legislation.
“When we apply for a car loan, shop online or swipe a debit card at the grocery store, it is the responsible collection and use of personal information that makes these convenient and quick transactions possible,” said Steven Berry, DMA’s executive vice president for government and consumer affairs, in a statement. “To maintain trust in today’s information-driven economy, we must ensure that the personal data that makes electronic transactions possible is vigorously protected against theft, fraud or unauthorized use.”
Members of Congress introduced security breach bills earlier this year, and the industry has been following the action closely to see whether a federal bill will be passed.
In the Senate, for example, Sen. Patrick Leahy (D-VT), chairman of the Senate Judiciary Committee, and Sen. Arlen Specter (R-PA), ranking member of the same committee, introduced on Feb. 6 a revised version of their Personal Data Privacy Act that was approved by the Senate Judiciary Committee last year, but it died before a floor vote.
A key feature of the legislation, S. 495, includes increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data.
In recent years, the DMA has issued member guidelines on responsible data stewardship and worked closely with the Federal Trade Commission to develop a checklist of broad security procedures that marketers are encouraged to follow.
However, the DMA also recognizes that creating a secure online marketplace will require steps beyond what the DMA can promote within its own membership. To that end, the DMA continues to support Congressional efforts to enact a clear national standard for the safeguarding of sensitive information and the prompt notification of consumers when compromised data puts them at risk for identity theft.
As outlined in the letter to Committee Chairman Daniel Inouye (D-HI) and Vice Chairman Ted Stevens (R-AK), the DMA said legislation should do the following.
–Focus only on information that is truly sensitive, i.e., that which could be used to steal a consumer’s identity.
–Require a “trigger” for consumer notification when a data breach puts the consumer at a real risk of harm.
–Set flexible standards for businesses that collect personal information for security and verification purposes. DMA supports using security practices established under the Gramm-Leach-Bliley Act as a model.
–Apply only to breaches of computerized data, which present the overwhelming majority of situations that pose risk to consumers.
–Create flexible timelines for notification that will allow businesses to investigate breaches and work with the appropriate law enforcement officials.
–Preserve the ability of businesses to use Social Security numbers for verification and authentication purposes.
“Right now, businesses, nonprofits and government agencies are operating under a confusing and often conflicting patchwork of state laws,” Mr. Berry said. “We hope that Congress will work quickly and cooperatively to address this important issue and set a clear national standard that will protect businesses and consumers alike.”
