Multiple Senate committees are considering data security and breach notification legislation, following the White House’s endorsement of such legislation earlier this year. Data security measures are often discussed in the context of cybersecurity, and could be added to any cybersecurity legislation that advances in Congress.
The Senate Judiciary Committee passed three data security and breach notification bills on September 22, 2011. The bills are Chairman Leahy’s (D-VT) S. 1151, Personal Data Privacy and Security Act; Sen. Feinstein’s (DCA) S. 1408, Data Breach Notification Act; and Sen. Blumenthal’s (D-CT) S. 1535, Personal Data Protection and Breach Accountability Act. Chairman Leahy’s and Sen. Blumenthal’s bills share some similarities. Both bills give the Attorney General the primary enforcement role and impose the requirements of notice to the FBI and Secret Service for any breach involving a database of a certain size, although Sen. Blumenthal has included a private right of action and increased criminal penalties for certain online data collection practices. Unlike the other bills, Sen. Feinstein’s bill is limited to data breach notification and would not impose data security requirements. The Commerce Committee is also expected to consider Sen. Pryor’s (D-AR) and Sen. Rockefeller’s (D-WV) S. 1207, Data Security and Breach Notification Act, after a markup was scheduled for September and postponed. Finally, the Senate Banking Committee is considering Sen. Carper’s (D-DE) S. 1434, Data Security Act.
The House also saw a flurry of activity on data security on the eve of the August recess. Following a series of hearings on data security, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade began marking up the Secure and Fortify Electronic Data Act (“SAFE Data Act”) authored by Subcommittee Chairman Bono Mack (R-CA). This bill would require entities to provide security for data containing personal information and would establish a national breach notification standard. At a July markup, the Subcommittee removed a provision that would have allowed the Federal Trade Commission to redefine the “personal information” covered by the bill and clarified that the FTC lacked authority to determine the data minimization steps that could be imposed on companies. Further work on the bill has been postponed.
The House is also considering bills by Rep. Rush (D-IL) and Rep. Stearns (R-FL) who have reintroduced their respective Data Accountability and Trust Act (“DATA”) bills (H.R. 1707 and H.R. 1841), which would take different approaches to requiring entities to provide security for electronic personal information and creating a national data breach notification standard.