eWeek, By: Fahmida Y. Rashid, September 27, 2011
While the Senate Judiciary Committee approved three data breach and privacy bills, it’s still unclear whether a federal data breach notification law will pass this year. The Senate Judiciary Committee approved three data security and privacy bills over strong objections from Republican members last week. The opposition may complicate efforts to pass comprehensive cyber-security legislation this year, observers said. Committee members voted along party lines, 10 to 8, on Sept. 22 to approve the bills introduced by Sens. Dianne Feinstein (D-Calif.), Richard Blumenthal (D-Conn) and Chairman Patrick Leahy (D-Vt). These bills, and any other cyber-security bills that come out of other committees, such as the Senate Commerce Committee, will be consolidated into a single bill before being presented to the full Senate for debate and vote. The Senate Commerce Committee is still working on getting Republican support for its data breach bill, introduced by Chairman Jay Rockefeller (D-W.Va). “Congress has considered data breach legislation several times before, so the chances that any of the current bills will be enacted are unclear,” wrote Harley Geiger, policy counsel at the non-profit public interest organization Center for Democracy and Technology.…… Businesses that maintain personally identifiable information on 10,000 or more Americans must develop a personal data privacy and security program to regularly assess, manage and control risks, train employees, test regularly for vulnerabilities, require outsourcing partners overseas to secure the data, and periodically assess the program’s effectiveness. Victims must be notified of a breach within 60 days by telephone or e-mail unless the organization could prove the breach did not cause much harm or if disclosure it would threaten a criminal investigation. Businesses must also post a media notice and alert credit reporting agencies if the breach involves 5,000 or more individuals.
- Feinstein’s Data Breach Notification Act would require federal agencies and businesses that “engage in interstate commerce” who possess data containing sensitive personally identifiable information to disclose any breaches.
- Blumenthal’s Personal Data Protection and Breach Accountability Act would set up a process to help companies establish appropriate minimum security standards to safeguard sensitive consumer information and require companies to notify individuals promptly after a data breach.
- Leahy’s Personal Data Privacy and Security Act would establish a national standard for companies to follow when reporting data breaches and require businesses to implement data privacy and security programs to prevent them in the first place. The bill also includes criminal penalties. Leahy had introduced similar measures in 2005, 2007 and 2009 which had gone through the Judiciary Committee but failed to get enough votes in the full Senate to become law.