Congress - After the House of Representatives had approved their version of the Fiscal Year 2010 (FY2010) Commerce-Justice-State (CJS) appropriations bill (H.R. 2847), including more than $7 billion for the Census Bureau, the Senate Appropriations Committee passed their own Census-funding bill. The Senate Committee allocated $7.324 billion for the Census Bureau, meeting the full Administration budget request for all agency programs, except for a reduction in mileage reimbursement for temporary 2010 census employees. MRA continues to advocate for Census funding in the Congress.
Congress – The Senate confirmed Dr. Robert Groves as the new director of the U.S. Bureau of the Census on July 13. From early this year, MRA pressured the President to nominate a director and the Commerce Secretary to help, and endorsed Dr. Groves before he testified in Committee. We also worked behind the scenes with our allies in order to get him confirmed. MRA applauds his confirmation.
Congress – The House Energy & Commerce Committee approved the Data Accountability and Trust Act (H.R. 2221) on June 3, with minor amendments. CMOR has already met with Committee staff and is working to protect the profession’s interests. The Act would require everyone “that owns or possesses data containing personal information, or contracts to have any third party entity maintain such data… to establish and implement” certain information security practices. Such practices would include: setting and following a data security policy; identifying a chief privacy officer within the organization; regular monitoring of security; timely response to vulnerabilities and fixing of problems; and full disposal of “obsolete” data (both electronic and paper). Entities already subject to and in compliance with HIPAA or GLB security rules are exempted. H.R. 2221 also includes a laundry list of extra regulations for “information brokers,” defined as XXX.
H.R. 2221: Breach notification: Following “the discovery of a breach of security of” a system, you would have to notify every “citizen or resident” of the U.S. “whose personal information was acquired by an unauthorized person as a result of such a breach of security.” You would also notify the Federal Trade Commission (FTC), as well as the Department of Health and Human Service (HHS) if it included Personal Health Information (PHI) as defined under HIPAA. If the breach affects more than 5,000 people, you would have to notify the major credit reporting agencies. The party whose security is breached would be the one that needs to do the notifying: if the data were breached by a third party agent of your company, that third party agent would have to notify affected people. Notifications “shall be made as promptly as possible and without unreasonable delay following the discovery of a breach… consistent with any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.”
H.R. 2221: Exemption from Breach Notification: You would be exempt from the notification requirements “if, following a breach of security, such person determines that there is no reasonable risk of identity theft, fraud or other unlawful conduct.” This presumes that the data breached was encrypted, or otherwise rendered “unusable, unreadable or indecipherable.”
H.R. 2221: Other Provisions: The Act codifies authority that the FTC has exercised for years, treating violations as “unfair and deceptive” acts and practices. H.R. 2221 forbids the FTC from requiring “the deployment or use of any specific products or technologies, including any specific computer software or hardware.” The Act also allows for broad enforcement authority by state attorneys general, but only they can bring civil actions.
H.R. 2221: Definitions: “Breach of security” is defined as “unauthorized access to or acquisition of data in electronic form containing personal information.” “Encryption” is defined as “the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.” H.R. 2221 defines an “information broker” as “a commercial entity whose business is to collect, assemble or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.” The Act defines “personal information” as “an individual’s first name or initial and last name, or address or phone number, in combination with” either: a Social Security number; any other government-issued identification number; or a financial account number, credit or debit card number, and any required security code, access code or password required for access. The FTC can expand this definition through rule-making.
H.R. 2221: Impact on State Laws: The Act pre-empts all state laws on breach notification and data security and encryption policies. It would not pre-empt state laws on trespass, contract, tort or fraud.
CO - Has enacted H.B. 1094, sponsored by Rep. Levy (D), prohibiting operators of a motor vehicle who are under 18 years of age from using a wireless telephone while the vehicles are in motion unless they use a hands-free accessory. Survey and opinion research companies that conduct research with respondents in Colorado should develop best practices for contacting respondents on their cell phones.
IL - Has enrolled H.B. 71, sponsored by Rep. D’Amico (D), prohibiting a person from using an electronic communication device to compose, send, or read an electronic message while operating a motor vehicle. An electronic communication device is defined as “an electronic device, including but not limited to a wireless telephone, personal digital assistant, or a portable or mobile computer while being used for the purpose of composing, reading or sending an electronic message, but does not include a global positioning system or navigation system or a device that is physically or electronically integrated into the motor vehicle.” The legislation allows a driver to use an electronic communication device while parked or stopped due to traffic and the vehicle is in neutral or park. The bill has been sent to the governor for final signature. Survey and opinion researchers who conduct research using this method should be mindful to develop and implement policies in light of this new potential law.
IL - Has enrolled H.B. 72, sponsored by Rep. D’Amico (D), prohibiting a person, regardless of age, from using a cell phone while operating a motor vehicle on a roadway in a school speed zone or on a highway in a construction or maintenance speed zone, except for a person engaged in a highway construction or maintenance project when the person is using a wireless telephone in furtherance of that project, specified emergencies, and when the phone is in voice-activated mode. The bill has been sent to the governor for final signature. The survey research profession should be mindful to develop business practices in light of the new laws as it applies to conducting research via cell phones to respondents in cars.
NC - Has enacted H.B. 9, sponsored by Rep. Pierce (D), prohibiting any person from operating a motor vehicle on a public street, highway or public area while using a mobile phone to: “(1) Manually enter multiple letters or text in the device as a means of communicating with another person; or (2) Read any electronic mail or text message transmitted to the device or stored within the device, provided that this prohibition shall not apply to any name or number stored in the device nor to any caller identification information.” Survey research businesses should be mindful to develop policies in light of the changes in the law.
OR - Has enrolled H.B. 2377, sponsored by Rep. Tomei (D), prohibiting the use of a mobile communication device for a person of any age without a hands-free accessory while driving. A mobile communication device is defined as “a text messaging device or a wireless, two-way communication device designed to receive and transmit voice or text communication.” The bill has been sent to the governor for final signature. Again, survey and opinion research businesses should develop policies in light of recent changes in the scope of state laws when conducting survey research via cell phones.
LA - Has enacted S.B. 29, sponsored by Senator Riser (R), prohibiting a caller from knowingly inserting false information into a caller identification system with the intent to mislead, deceive or defraud the recipient of a telephone call. Survey and opinion research companies should always strive for “Truth in Caller ID” when calling respondents.
Telephone Solicitation/Do Not Call
AK - Has enacted H.B. 93, sponsored by Rep. Chenault (R), adding cell phone numbers registered with the national do not call registry to the state do not call registry. The state law only applies to telephone solicitation calls and does not apply to survey research.
IA – H.B. 547 (reported in April’s Legislative Update) has been carried over to the next legislative session.
OR – S.B. 845 (reported in April’s Legislative Update) has died.
Telephone Solicitation/Do Not Call
MO - H.B. 732 (reported in April’s Update) has died.
MO - S.B. 43 (reported in April’s Update) has died.
WV - H.B. 2290 (as reported in April’s Update) has died as a result of the end of the legislative session.