Sens. Mark Pryor (D-Ark.) and Jay Rockefeller (D-W.Va.) introduced a data protection bill that would require both businesses and non-profits to establish “reasonable” security policies to protect personal consumer information.
Under the “Data Breach and Security Notification Breach Act of 2010” as introduced, entities that own or possess information like credit card numbers would be required to notify consumers of a data breach within 60 days and provide them with credit monitoring for two years. “An estimated 9 million Americans have their identities stolen each year, resulting in destroyed credit ratings and legal troubles,” Sen. Rockefeller, Chairman of the Senate Commerce Committee, said in a statement. “Consumers are placed at risk of identity theft, fraud, and other harm when bad actors get access to their personal information as a result of security breaches. Companies and other entities who collect and maintain data on individuals should keep this information safe and notify consumers if it is compromised.”
Under the proposed law, entities must “establish and implement policies and procedures” for safeguarding personal information, including a security policy “with respect to the collection, use, sale, other dissemination, and maintenance” of personal information.
The legislation also contains provisions about consumer access to their information and disputed information. Companies that suffer a breach – not limited by the bill in scope, covering a breach of four names or 4 million – must notify affected individuals as well as the Federal Trade Commission. Notice must be given within 60 days unless the company can show the time frame is not feasible or receives a delay for national security or law enforcement purposes.
Notification can be made in writing, by e-mail, or other electronic means if that is the company’s primary form of communication with the consumer. The notice itself must include the date or estimated date range of the security breach, a description of the personal information that was acquired, contact information for the company, the major credit reporting agencies and the FTC so that consumers may inquire about the breach, as well as information about the two-year credit counseling.
To read Senate bill 3742, click here.
Why it matters: The federal legislation would likely preempt a patchwork of state laws on data breach notification, which have various requirements for who must receive notice, how notice can be given, if penalties exist for non-compliance, and whether companies must take pro-active steps like establishing security programs. The bill is similar to legislation introduced last month by Sens. Tom Carper (D-Del.) and Robert Bennett (R-Utah), who have introduced data breach notification legislation in prior sessions without success.