House Panel Clears Breach Notification Bill

SAFE Data Act Would Nationalize Breach Notification

By , July 21, 2011.
House Panel Clears Breach Notification Bill


See Also: POS Security Essentials: How to Prevent Payment Card Breaches

he House Subcommittee on Commerce, Manufacturing and Trade approved by a voice vote Wednesday a version of a data breach notification bill that its Republican sponsor says would enhance protection of personal information by establishing uniform national standards.

"Consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes," said Rep. Mary Bono Mack, R-Calif., the subcommittee's chair and bill's sponsor.

The Secure and Fortify Electronic Data Act, or SAFE Data Act, goes to the full Energy and Commerce Committee for consideration.

If enacted, the SAFE Data Act would preempt breach notification laws in 47 states and require notification of consumers within 48 hours after identifying specific information that was breached, unless it was an inadvertent breach unlikely to result in harm. The bill, HR 2577, would grant the Federal Trade Commission authority over not-for-profit organizations for purposes of this act only.

The ranking Democrat on the full committee, Rep. Henry Waxman of California, said the biggest loophole in the bill is its definition of personal information, contending the bill wouldn't protect most personal information stored online or in a company database.

"There is no protection for personal e-mails; no protection for personal photographs and videos stored on-line; no protection for records of book, video, and other consumer purchases; no protection for records of purchases of over-the-counter drugs, including pregnancy tests; no protection for payroll records," he said.

But Republican contend the SAFE Data Act is about breach notification and not overall privacy that is being addressed in other legislation.

At a hearing last month, FTC Commissioner Edith Ramirez endorsed the bill, lauding provisions to authorize the use of standard notice and comment procedures rather than a more burdensome rulemaking process under the FTC Act (see Draft of Breach Notification Bill Criticized). That, Ramirez said, would allow the FTC to promulgate rules more timely and efficiently. She also said the FTC supports provisions authorizing the agency to obtain civil penalties for violations. "Civil penalties are particularly important in areas such as data security, where the commission's traditional equitable remedies - including consumer restitution and disgorgement - may be impractical or not optimally effective," she said.

Mack Bono said the legislation would require:

  • Companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.
  • The notification of law enforcement within 48 hours after discovery of a breach, unless that breach was an innocent or inadvertent breach unlikely to result in harm.
  • Organizations to begin notifying consumers 48 hours after taking steps to prevent further breach and determining who has to be notified.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE London Police Retool for Cybercrime

London's Metropolitan Police force has announced sweeping changes to its plans for fighting online...

Latest Tweets and Mentions

ARTICLE London Police Retool for Cybercrime

London's Metropolitan Police force has announced sweeping changes to its plans for fighting online...

The ISMG Network