DMA Reiterates Need for Data Security Legislation in Letter to Senate

April 17, 2007 — As Congress once again considers measures to create a national standard for notifying consumers in the event of the loss or theft of personal data, the Direct Marketing Association (DMA) continues to call for legislation that will offer protection for consumers without impeding the legitimate exchange of data necessary for electronic commerce.

In a letter sent last week to leaders of the Senate Committee on Commerce, Science and Transportation, DMA outlined the principles it supports for any data security legislation.

“When we apply for a car loan, shop online, or swipe a debit card at the grocery store, it is the responsible collection and use of personal information that makes these convenient and quick transactions possible,” said Steven Berry, DMA’s executive vice president for government and consumer affairs. “To maintain trust in today’s information-driven economy, we must ensure that the personal data that makes electronic transactions possible is vigorously protected against theft, fraud or unauthorized use.”

In recent years, DMA has issued member guidelines on responsible data stewardship and has worked closely with the Federal Trade Commission to develop a checklist of broad security procedures that marketers are encouraged to follow.

However, DMA also recognizes that creating a secure online marketplace will require steps beyond what the Association can promote within its own membership. To that end, DMA continues to support Congressional efforts to enact a clear national standard for the safeguarding of sensitive information and the prompt notification of consumers when compromised data puts them at risk for identity theft.

As outlined in the letter to Committee Chairman Daniel Inouye (D-HI) and Vice Chairman Ted Stevens (R-AK), DMA believes that such legislation should:

· Focus only on information that is truly sensitive – i.e., that it could be used to steal a consumer's identity.

· Require a “trigger” for consumer notification when a data breach puts the consumer at a real risk of harm.

· Set flexible standards for businesses that collect personal information for security and verification purposes. DMA supports using security practices established under the Gramm-Leach-Bliley Act as a model.

· Apply only to breaches of computerized data, which present the overwhelming majority of situations that pose risk to consumers.

· Create flexible timelines for notification that will allow businesses to investigate breaches and work with the appropriate law enforcement officials.

· Preserve the ability of businesses to use Social Security numbers for verification and authentication purposes.

“Right now, businesses, nonprofits, and government agencies are operating under a confusing and often conflicting patchwork of state laws,” added Berry. “We hope that Congress will work quickly and cooperatively to address this important issue and set a clear national standard that will protect businesses and consumers alike.”

# # #