Data SecurityREALTORS® want any data security legislation to include an exemption for small businesses and to not pre-empt state laws.Our concerns include:

• While there is the need for protection of this electronic and paper data as incidents of identity theft have been increasing over the past years, there is also the need to not put too large of a strain on small businesses. 
• The federal government should not pre-empt state laws.  Many state laws are already proving effective and if anything the federal government should set minimum standards, not preempt all state laws and set a low ceiling.
• California already has expansive data security laws.  Any federal preemption of these laws would likely lessen consumer protectionsand security measures already in place.  Any data security law passed should not preempt state laws and should include a small business exemption.
• While a large organization may be ableto afford some of the expansive efforts being proposed, the same responsibilities on a small business could easily lead to an inability to continue operations.  The large cases of electronic identity theft that have prompted the calls for action are occurring at sources where massive amounts of information are available in hundreds of thousands to millions of different identities that a large multinational corporation would store, not from small businesses. 
• If small businesses are to be included in data security, they should not have to meet the same standards as the large multinational corporations.  Small businesses should be allowed to follow the guidelines that the FTC has set as “reasonable security measures”.

General Background:There have been numerous publicized events of breeches of data security that have caused more attention to be paid tothis issue.  Highly publicized breeches include: The Department of Veteran’s Affairs, CitiFinancial, Card Systems Solutions, and most recently the University of California, Los Angeles.All of these events have increased the call for the government to help protect consumers from identity theft.  This can have far reaching influence on both businesses and consumers as most companies store consumer data on either electronic or paper format.  Whether it’s a national credit company, a mortgage company, a consumer data research company, a local insurance agency, or even a REATLOR® who stores their clients information on buyer/seller agreements, business often have a valid business reason, or legal obligation, to keep and store this information.There is the need for protection of this electronic and paper data as incidents of identity theft have been increasing over the past years.  However, there is also the need to not put too large of a strain on small businesses.  REALTORS® are starting to keep more information on electronic format, but many still use only paper format for their business. The110^th Congress has introduced numerous data security bills.  The major bills are H.R. 1685, S. 239, S. 495, and S. 1178.  These bills differ in their definition of what a security breech is, what triggers the need to report a breech (suspected breech, potential risk for data misuse, known breech only, etc...), how much power consumers have in correcting credit errors, freezing credit accounts, and who pays for credit-monitoring services.  Currently, all of the data security bills would pre-empt state laws.The largest stalling issue concerning data security bill is that multiple committees have jurisdiction over data security and they all want to pass their own versions of legislation.  There is not one consensus bill concerning data security and until there is, none of these bills will move any further then being voted out of their respective committees.