House passes Data Accountability and Trust Act
Legislation passed by the House of Representatives this week (H.R. 2221, the Data Accountability and Trust Act) includes provisions both for national standards on data breach notifications and adding new responsibilities and consumer empowerment protections to require data brokers and other holders of personal information to verify the accuracy of the information they hold on individuals.
With parallel action on data breach disclosure bills in the Senate, a lot of the current coverage on the House passage focuses on the breach notification provision in H.R. 2221, which simply and clearly says that anyone
“that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security.” (H.R. 2221 §3)
The proposed law extends breach notification requirements beyond the owners of the data to third party agents who maintain or process the data or service providers who transmit, route, or store the data. In cases involving more than 5000 individuals the notification must be made not only to the individuals affected and the Federal Trade Commission, but also to the major credit reporting agencies. Unless a delay in notification is warranted by law enforcement or national security concerns, notifications are to be made within 60 days of the discovery of the breach.
Separate language in Section 2 of the bill addresses requirements for ensuring the accuracy of personal information collected, assembled, or maintained by an information broker, and for providing access to consumers to review (at least annually) the personal information about the consumer held by the information broker, and to post instructions for consumers explaining how to request access to review their information. There is also a provision, consistent with most major privacy principle frameworks, that requires information brokers to correct any inaccuracies in personal information, and specifically obligates them to make changes in the data communicated to them by individuals whose data they hold, as long as the individual’s identity is verified and the request isn’t believed to be frivolous or irrelevant. Even in cases where the broker believes the information to be correct, where the disputed information isn’t part of the public record, at minimum the information broker must note the disputation and make an effort to independently verify the information. Despite the potential for difficulty with subjective terms like “irrelevant,” this provision gives the presumption for saying what is accurate to individual consumers, rather than the information broker. The only exception is when the disputed information the broker has is part of the public record (and has been correctly reported matching the public record), in which case the broker is required to tell the individual where he or she should direct a request to correct the information in the public record.
Holding data brokers accountable for making sure their data is accurate before it gets sold or passed on to other entities who might assume the validity of the data is a step in the right direction towards creating mechanisms for asserting data integrity. Such assertions would raise the confidence level receivers or secondary users of information might have when making decisions or otherwise using the information they receive. The lack of any sort of statement (much less a guarantee) of the accuracy of data used in information exchanges can invalidate data analyses based on data of unknown integrity and can lead to erroneous decisions. In the health information exchange context, for instance, these errors can and do cause real harm, such as when the wrong medication doses appear in health records. This problem certainly exists in paper-based record-keeping, but as more and more industries move towards electronic data exchange and data integration solutions, any assumptions about the integrity of the data received through electronic channels are just those — assumptions. Making data owners and aggregators responsible for determining the accuracy of the information they hold should in theory improve the integrity and therefore reliability of the information they sell. In this sense the legal requirement, if enacted, could actually improve the saleability of the data offered by information brokers.