On Wednesday, March 25, 2015, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade approved a discussion draft bill entitled “The Data Security and Breach Notification Act of 2015.” The draft bill seeks to establish a single federal standard concerning data security and data breach notification. While NAR is supportive of a single national standard as is created by the bill, NAR has several concerns with the bill as drafted. Of most concern was the exemption of third-party service providers from the requirement to notify affected consumers when the service provider experiences a data breach. As drafted, the breached firm would only be required to notify the business, i.e. the agent or brokerage, whose data may have been hosted by the service provider. That small firm would be responsible for the costs of notice and potential fines and penalties, while the business responsible for the breach nearly entirely escapes responsibility. However, the Manager's Amendment, which was approved, contained a fix to this problem. NAR still has additional concerns with the draft bill including its vague language surrounding what constitutes “reasonable security measures and practices” and the potential expansion of the Federal Trade Commission’s enforcement authority.
Advertisement