Data privacy legislation has been introduced regularly, but has yet to pass, could this be the year? The recent breaches at Target and Neiman Marcus (see our posts here, here, here) have drawn national attention and may be the impetus needed to pass the legislation. Currently two bills addressing data breaches have been introduced -
- Senator Patrick Leahy reintroduced the Personal Data Privacy and Security Act of 2014. This bill was originally introduced in 2005 because “security breaches are a serious threat to consumer confidence, homeland security, national security, e-commerce, and economic stability” and has been reintroduced in each of the last four sessions of Congress. The bill would establish a national standard for data breach notification, and require businesses to safeguard personal information from cyber threats. Under the legislation covered entities are required to provide notice to the Federal Bureau of Investigation or the United States Secret Service of “major” security breaches of “sensitive personally identifiable information.”
- Senators Tim Carper and Roy Blount introduced the Data Security Act, legislation that would require companies that accept credit cards to have information security plans aimed at protecting data and incident response plans to address what steps must be taken in the event a breach occurs. The legislation also contains a notification provision which would require companies to notify affected customers and federal authorities in the event of a breach and to provide credit monitoring services if over 5,000 customers are affected.
The move to a uniform federal notification law — preempting individual state laws — may be welcome in some corners, as companies have spent time and resources trying to comply with the 46 different state laws (see the Mintz Matrix). And, perhaps the current landscape and serious threat to consumer confidence will prompt the passing of the legislation this year.