Congress appears one step closer towards passing federal legislation aimed at the protection of personal information. On December 8, 2009, the House of Representatives passed the Data Accountability and Trust Act (H.R. 2221) (DATA). DATA would require those entities doing business in interstate commerce that maintain data containing personal information (including those that contract with another party to maintain such data) to comply with future Federal Trade Commission (FTC) regulations designed to protect such data from disclosure, identity theft, and fraud. DATA would also specify requirements for data breach notification. DATA violations would be regarded as unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and state attorneys general would be able to bring a civil action when residents of their respective states are adversely affected by a violation. The bill was received by the Senate and referred to the Committee on Commerce, Science, and Transportation on December 9, 2009.
Prior to the House’s passage of DATA, the Senate Judiciary Committee approved two similar bills. The first bill, the Data Breach Notification Act (S. 139), would establish notification standards for any agency or entity engaged in interstate commerce that suffers a data breach compromising personal information. The second bill, the Personal Data Privacy and Security Act of 2009 (S. 1490), would require entities to implement an appropriate data privacy and security program, set data breach notification requirements, and enhance criminal punishment for various privacy-related violations. These two bills are slated to proceed to the full Senate for vote.
With health care and financial reform as top priorities, the Senate may not take any action on these bills in the near future. Such legislation would hopefully provide businesses with a comprehensive set of guidelines for effective information security practices and data breach notification, and would likely preempt much of the current patchwork of state data privacy laws.