Yet Another Data Breach Bill Introduced

Latest Proposal to Create National Requirement for Notification

By , February 3, 2014.
Sen. Jay Rockefeller is prime sponsor of a data breach notification bill.
Sen. Jay Rockefeller is prime sponsor of a data breach notification bill.

Yet another bill to create a federal requirement for data breach notification has been introduced, this time by Democratic leaders of the Senate Commerce, Science and Transportation Committee.

See Also: Identity, Security and Risk Requirements for a New IAM Architecture

The Data Security and Breach Notification Act of 2014 would, for the first time, provide a federal standard for companies to safeguard consumers' personal information throughout their systems and to quickly notify consumers if those systems are breached.

The legislation, introduced Jan. 30 by Committee Chairman Jay Rockefeller, D-W.V., and three co-sponsors, would require the Federal Trade Commission to issue security standards for companies that hold consumers' personal and financial information. In the event of a data breach, companies would be obligated in most instances to notify their affected customers within 30 days of a breach so they can take steps to protect themselves from the risk of identity theft and fraud.

Rockefeller, in a statement introducing the bill, says companies must be responsible for securing the personal information in systems that store sensitive data. "The recent string of massive data breaches proves companies need to do more to protect their customers," Rockefeller says, referring to breaches at Target, Neiman Marcus and other retailers (see Feds Investigating Target Breach). "They should be fighting back against hackers who will do whatever it takes to exploit troves of consumer information."

At a Senate Intelligence Committee last week that was chaired by another of the bill's co-sponsors, Sen. Diane Feinstein, D-Calif., Rockefeller said recent data breaches heightened his skepticism that private companies would be capable of protecting privacy and strengthening the security of personal information. This is especially disconcerting, he said, because of President Obama's recent proposal to move the National Security Agency's metadata, bulk collection program to private telecommunications companies (see President Describes Restraints on Metadata-Collection Program).

Bill's Provisions

According to the bill's sponsors, the measure, if enacted as written, would:

  • Direct the FTC to develop robust but flexible rules that require businesses that possess consumers' personal information to adopt reasonable security protocols to protect that information from unauthorized access. The FTC would have the flexibility to broaden, through rulemaking, the commission's ability to protect other types of personal information if it furthers the purpose of the law and does not unnecessarily burden business.
  • Institute strong breach notification requirements that would allow affected consumers to take steps more easily to protect themselves from identity theft and other crimes.
  • Increase the use of technology to combat hackers by encouraging businesses to adopt state-of-the-art technologies that would render consumer electronic data unreadable or unusable in the case of a breach.
  • Establish two-pronged enforcement, whereby the FTC and state attorneys general would enforce the law. Breached companies would be required to notify a central, designated federal organization established by the Department of Homeland Security, which in-turn would notify other relevant law enforcement and government agencies of the breach. The bill would impose civil penalties for violations of the law as well as criminal penalties on corporate personnel who deliberately conceal a data breach.

"If companies are going to collect and store consumers' personal information, safeguarding that data should be their number one priority," says another of the bill's sponsors, Sen. Richard Prior, the Arkansas Democrat who chairs the Commerce Subcommittee on Communications, Technology and the Internet. "By implementing more stringent standards and requiring businesses who are breached to notify those affected, our common-sense bill will help prevent these incidents in the future and give American consumers assurance that their information is protected."

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Serious 'GHOST' Flaw Puts Linux at Risk

US-CERT warns that all Linux distributions should be immediately updated to patch "GHOST," a...

Latest Tweets and Mentions

ARTICLE Serious 'GHOST' Flaw Puts Linux at Risk

US-CERT warns that all Linux distributions should be immediately updated to patch "GHOST," a...

The ISMG Network