Lawmakers propose two federal data breach bills

Listen to this article

By Correy Stephenson
Dolan Media Newswires

BOSTON, MA — Lawmakers introduced two new data protection bills late last month which would require companies to take measures to secure their customers’ data, as well as notify them of security breaches.

Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., introduced the Data Security Act of 2011, which would apply to data brokers, government agencies that possess nonpublic personal information and all retailers who take credit card information.

Under the proposed legislation, covered entities would be required to implement, maintain and enforce “reasonable data security policies and procedures,” with reasonableness determined by the size, complexity and scope of the business as well as the sensitivity of the information it maintains.

Covered entities would be required to investigate potential breaches and notify consumers if it “is reasonably likely to be misused in a manner causing substantial harm or inconvenience.” Information maintained or communicated in encrypted, redacted, altered, edited or coded form is deemed unusable by the legislation and notice of breach would not be required.

Private suits are banned under the bill, which would preempt state data security and breach notification laws.

A second bill was introduced by Sen. Dianne Feinstein, D-Calif., the Data Breach Notification Act of 2011. The measure would require companies to notify consumers when their personally identifiable information is compromised.

That information is broadly defined under the bill to include Social Security numbers, credit card account numbers, driver’s license numbers, unique biometric information and passwords.

Notification would be required “without unreasonable delay,” but not more than 14 days after discovery of the breach.

Covered entities include any agency or business that “uses, accesses, transmits, stores, disposes of or collections” covered data.

Similar to Sens. Carper and Blunt’s bill, the legislation precludes civil suits and would preempt existing state laws.

In a press release announcing his bill, Sen. Carper decried the current legal framework of data security laws.

“We need to replace the current patchwork of state and federal regulations,” he said. Currently, 49 states have their own law on the books addressing data breach notification and/or data security for consumers.