Yet another bill to create a federal requirement for data breach notification has been introduced, this time by Democratic leaders of the Senate Commerce, Science and Transportation Committee.
The Data Security and Breach Notification Act of 2014 would, for the first time, provide a federal standard for companies to safeguard consumers' personal information throughout their systems and to quickly notify consumers if those systems are breached.
The legislation, introduced Jan. 30 by Committee Chairman Jay Rockefeller, D-W.V., and three co-sponsors, would require the Federal Trade Commission to issue security standards for companies that hold consumers' personal and financial information. In the event of a data breach, companies would be obligated in most instances to notify their affected customers within 30 days of a breach so they can take steps to protect themselves from the risk of identity theft and fraud.Rockefeller, in a statement introducing the bill, says companies must be responsible for securing the personal information in systems that store sensitive data. "The recent string of massive data breaches proves companies need to do more to protect their customers," Rockefeller says, referring to breaches at Target, Neiman Marcus and other retailers (see Feds Investigating Target Breach). "They should be fighting back against hackers who will do whatever it takes to exploit troves of consumer information."
At a Senate Intelligence Committee last week that was chaired by another of the bill's co-sponsors, Sen. Diane Feinstein, D-Calif., Rockefeller said recent data breaches heightened his skepticism that private companies would be capable of protecting privacy and strengthening the security of personal information. This is especially disconcerting, he said, because of President Obama's recent proposal to move the National Security Agency's metadata, bulk collection program to private telecommunications companies (see President Describes Restraints on Metadata-Collection Program).
According to the bill's sponsors, the measure, if enacted as written, would:
- Direct the FTC to develop robust but flexible rules that require businesses that possess consumers' personal information to adopt reasonable security protocols to protect that information from unauthorized access. The FTC would have the flexibility to broaden, through rulemaking, the commission's ability to protect other types of personal information if it furthers the purpose of the law and does not unnecessarily burden business.
- Institute strong breach notification requirements that would allow affected consumers to take steps more easily to protect themselves from identity theft and other crimes.
- Increase the use of technology to combat hackers by encouraging businesses to adopt state-of-the-art technologies that would render consumer electronic data unreadable or unusable in the case of a breach.
- Establish two-pronged enforcement, whereby the FTC and state attorneys general would enforce the law. Breached companies would be required to notify a central, designated federal organization established by the Department of Homeland Security, which in-turn would notify other relevant law enforcement and government agencies of the breach. The bill would impose civil penalties for violations of the law as well as criminal penalties on corporate personnel who deliberately conceal a data breach.
"If companies are going to collect and store consumers' personal information, safeguarding that data should be their number one priority," says another of the bill's sponsors, Sen. Richard Prior, the Arkansas Democrat who chairs the Commerce Subcommittee on Communications, Technology and the Internet. "By implementing more stringent standards and requiring businesses who are breached to notify those affected, our common-sense bill will help prevent these incidents in the future and give American consumers assurance that their information is protected."
Forty-six states have their own data breach notification laws, and legislation has been introduced in the Kentucky legislature that would make it the 47th state to implement data breach notification - but only for breaches of government computers (see Kentucky Lawmakers Unveil Brach Notification Bill).
Agreeing on Wording a Challenge
Standardizing breach notification nationally would mean businesses would only need to comply with one law and not 46 different state laws, which would simplify the notification process.
Most of the breach notification bills unveiled in the past 13 months had been introduced in previous Congresses as well. The challenge facing lawmakers is agreeing on what a federal law should require - for example, which state law should serve as the model for a U.S. law? "Each [special-interest] group has different state laws that they like and don't want to lose anything they have today," says Peter Swire, senior fellow at the Future of Privacy Forum and professor at Georgia Tech's Scheller College of Business.
In January, lawmakers introduced two other bills to create a national standard for breach notification. Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., introduced Jan. 15 the Data Security Act of 2014 (see Breach Notification Bills Pile Up in Senate). Earlier in the month, Senate Judiciary Chairman Patrick Leahy, D-Vt., introduced the Personal Data Privacy Security Act (see Why U.S. Breach Notice Bill Won't Pass)
Also in the current session of Congress, Sen. Pat Toomey, R-Pa., introduced his version of the Data Security and Breach Notification Act to require businesses to take reasonable measures to protect and secure data in electronic form containing personal information and notify law enforcement authorities and consumers if a major breach involving at 10,000 individuals occurred.
The HIPAA breach notification rule already provides a national standard for notification of health data breaches.