Late last month lawmakers introduced two new data protection bills that would require companies to take measures to secure customer data and notify them of any security breach.
Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) introduced the Data Security Act of 2011, which would apply to data brokers, government agencies that possess nonpublic personal information, and all retailers who take credit card information. Under the proposed legislation, covered entities must implement, maintain, and enforce “reasonable data security policies and procedures,” as determined by the size, complexity, and scope of their business and the sensitivity of the information they maintain.
A covered entity would be required to investigate if it determines that sensitive information was, or may have been, compromised. If the entity determines that information was compromised and “is reasonably likely to be misused in a manner causing substantial harm or inconvenience,” then it must notify all consumers, government agencies, and regulators affected by the breach. If the covered information is “maintained or communicated” in a manner that is not usable to commit identity theft or to make fraudulent transactions, a breach notice is not required. Information that is “encrypted, redacted, altered, edited, or [in] coded form” is deemed unusable by the legislation.
Those who fail to comply could be fined, ordered to conduct corrective measures, or banned from working in their respective industries.
If enacted, the law would preempt state data security and breach notification laws. The Federal Trade Commission would enforce the law, which explicitly prohibits private suits.
A second bill was introduced by Sen. Dianne Feinstein (D-Calif.), the Data Breach Notification Act of 2011, which would require companies to notify consumers when their personal and sensitive identifiable information has been compromised.
The bill defines “personal and sensitive identifiable information” to include Social Security numbers, credit card account numbers, driver’s license numbers, unique biometric information and passwords.
Notification would be required “without unreasonable delay,” but not more than 14 days after the discovery of the breach.
Covered entities would include any agency or business that “uses, accesses, transmits, stores, disposes of or collect[s]” covered data. The Attorney General would have enforcement powers, and entities that violate the law could be subject to a $1,000 per day per individual fine up to a maximum of $1 million.
Civil suits are precluded under the legislation and the law would preempt existing state laws.
To read the Data Security Act of 2011, click here.
To read the Data Breach Notification Act of 2011, click here.
Why it matters: In a press release announcing his bill – which he modeled on the data security provisions of the Gramm-Leach-Bliley Act – Sen. Carper decried the current legal framework of data security laws. “We need to replace the current patchwork of state and federal regulations,” he said. Currently, 49 states have their own laws on the books addressing data breach notification and/or data security, making compliance an uphill battle for companies.