Encryption Confirmed as Best Safeguard to Protect Sensitive Data by U.S. House of Representatives

Share Article

Data Accountability and Trust Act (H.R. 4127) approved by the House for Protection of Consumer Information.

News Image
encryption of (sensitive) data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption

The Energy and Commerce Committee of the U.S. House of Representatives unanimously approved The Data Accountability and Trust Act (H.R. 4127), a bill that requires companies to launch nationwide notification campaigns if the security of sensitive consumer information, such as Social Security Numbers, drivers license numbers or financial data, is breached and could be used for identity theft. This act recognizes data encryption as an essential, underlying security technology that provides organizations with “safe harbor” in the event of a security breach. It states that encrypted electronic data is “presumed” secure and that businesses that employ encryption technology are exempted from the nationwide notification requirement.

“The Data Accountability and Trust Act recognizes encryption is a fundamental enabling technology for protecting electronic data and fulfilling regulatory compliance,” said GuardianEdge Technologies’ President and CEO Alan Fudge. “An increasing number of government regulations, such as California’s SB 1386 and 22 other state laws around the country, exempt encrypted data from these stiff notification requirements”

Highlights of the Act

Introduced by Representative Cliff Stearns (R-Fla.) and co-sponsored by eight members of the House, The Data Accountability and Trust Act is one of many measures lawmakers have introduced to protect sensitive consumer information since the watershed ChoicePoint data breach in March 2005.

The act affects any person or business “involved in interstate commerce that owns or possesses [sensitive] data in electronic form.” Upon discovering a breach in the security of sensitive data, these businesses are required to implement a nationwide notification program, informing each individual whose data may have been compromised. In addition, the bill calls for notification of the Federal Trade Commission, placement of website or Internet notice and notification to any financial institutions that may be affected.

However, the act also says that the “encryption of (sensitive) data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption” that there is no “significant risk of identity theft to the individual to whom the personal information relates.” This means businesses that utilize encryption would be exempted from the required notifications.

The act gives the FTC enforcement powers and allocates $1 million a year to fund enforcement activities. If passed, the bill would take effect in approximately one year. The full text of the bill is available at: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:H.R.4127:

Other Legislation

Similar laws are also under consideration in the U.S. Senate, including The Identity Theft Protection Act (S. 1408, introduced by Senator Gordon Smith, R-Ore.); The Notification of Risk to Personal Data Act (S. 115 and S. 751 introduced by Senator Dianne Feinstein, D-Calif.); and The Personal Data Privacy & Security Act of 2005 (S. 1789, co-sponsored by senators Arlen Spector, R-Pa., and Patrick Leahy, D-Ver.).

GuardianEdge has established a resource on the current U.S. legislative landscape and pending consumer information protection acts. The report, titled: “Identity Theft and U.S. Data Protection Legislation: An Overview,” provides an update on the current state of federal information security laws as well as Sarbanes-Oxley, the Gramm-Leach-Bliley Act and HIPAA (Health Insurance Portability and Accountability Act). It is available online.

In addition, GuardianEdge has posted frequently asked questions about the Specter-Leahy bill, S. 1789. This FAQ also appears on the GuardianEdge Web site.

About GuardianEdge

GuardianEdge Technologies is a market leader in reducing the cost and complexity of enterprise data security. More than 1 million users around the world depend on GuardianEdge solutions to protect sensitive and proprietary information, to ensure compliance with rules for safeguarding privacy and to enable secure enterprise mobility. Major organizations that now use the company’s encryption software include Lockheed Martin Corporation, Deutsche Bank AG and Humana Inc., as well as numerous agencies in the US departments of defense, state and education. http://www.guardianedge.com

For Information Contact:

Steven Lerner-Wright

415-683-2291

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Steven Lerner-wright
Visit website