The more things change, the more they stay the same. This statement seems especially true when it comes to federal privacy and data breach laws. Last year, proposals for a federal data breach law appeared dead, with a number of similar bills failing to receive support. Then, at the end of 2005, Microsoft reversed its position and declared it now supported federal legislation. After some controversy over a proposed House bill in March, however, things quieted down again, with the Microsoft-backed bill lost somewhere in the shuffle. Now, it seems we’re back where we were nine months ago—with proposals for national laws gaining traction.
In June, the DATA Act (HR 4127) was passed out of committee in the House. This bill gives the FTC more power to mandate how businesses collect, store and dispose of personal information. In addition, a new proposal for a comprehensive federal data breach notification bill has gained some support in the Senate. Passed out of committee in late July, the Notification of Risk to Personal Data Act (S 1326) would require businesses holding sensitive personal information to put reasonable safeguards in place to protect that information. Moreover, if a breach occurred, businesses would be required to notify any consumers who are at “significant risk of identity theft” as a result of the breach.
Direct marketers need to think about the new requirements these pieces of legislation may impose. Both bills define personal information and sensitive personal information broadly, which means most marketers that deal with customer information probably will be at least partially affected.
How can direct marketers prepare? Encrypting any personally identifiable information (PII)—e.g., addresses, telephone numbers and sensitive data like social security numbers and drivers’ license numbers—is a good place to start. Since the Notification of Risk Act only applies to information that is not encrypted, this could limit a marketer’s liability in the event of a security breach.