DMA Calls Senate Data Security Bill a 'Good Start'

April 26, 2007 — The Direct Marketing Association (DMA) today thanked members of the Senate Committee on Commerce, Science and Transportation, who took a major step forward yesterday toward creating a clear national standard for data security.

DMA praised the efforts of Senators Daniel Inouye (D-HI) and Ted Stevens (R-AK), who introduced and passed out of committee a new bill (S. 1178) to create a workable standard for protecting personally identifiable information and for notifying consumers when such data is stolen or compromised.

“Any time consumer data is used to commit fraud or identity theft, it is a concern for the businesses that collect and use data for legitimate business purposes,” said Steven Berry, DMA’s executive vice president for government and consumer affairs. “We appreciate that Committee members have been very open and constructive in their dialogue with DMA and other stakeholders. It is clear that the Committee recognizes the strong role of the business community in protecting consumers and combating identity theft.”

Particularly, DMA is pleased that S. 1178 sets uniform national standards. DMA believes that it is critical for both business and consumers to have a clear national standard for the issues that this legislation addresses, including data security, security breach notification, and regulation of Social Security numbers. DMA continues to believe that a national standard should preempt the patchwork of confusing and often conflicting state laws currently in existence.

In reviewing the draft of today’s legislation, DMA notes the need to further refine the language on some of the bill’s specifics. However, on the whole, DMA said it is encouraged by most of the bill’s general provisions, including:

· Strong data security protections for sensitive information. S. 1178 creates protections for sensitive information that also are logical for business in that they will not impose duplicative regulation on those entities that possess sensitive information that are already subject to other federal data security regimes.

· A harm-based protocol for breach notification. The bill includes a harm-based standard for notifying individuals where there is a real risk of identity theft while at the same time not creating undue alarm when there is not a significant risk. While this provision should continue to be evaluated and modified as the bill progresses, it is consistent with standards set forth by the President's Task Force on Identity Theft and the FTC Chairman’s long-supported call for notification for “significant risk of identity theft.”

· Workable safeguards for Social Security Numbers (SSNs). DMA has long supported appropriate limitations on the sale of SSNs. At the same time, there are critical uses of SSNs in the marketplace, in particular in authenticating and verifying customers for both transactions and anti-fraud purposes. DMA hopes to continue working with legislators to ensure that legitimate uses of SSNs for identification purposes are not limited.

“While we have some remaining areas that we would like to see addressed before a final vote is taken, we are pleased that the Committee has worked out a thoughtful approach to helping combat identity theft,” added Berry. “We look forward to continuing to work with the Senators on the Committee and with other members of Congress to ensure that there is a workable framework for business that ensures strong protections for consumers.”

# # #