Two Data Breach Notification Bills Advance in Senate

Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill.

Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill.

A variety of technology vendors, consumer advocacy groups and privacy groups have been calling for Congress to pass a comprehensive federal data-breach notification bill for a number of years now. Several bills have been introduced in both the House and the Senate in recent years, but none has made it to the president’s desk yet.

The Senate Judiciary Committee on Thursday approved two different bills, each of which would mandate that organizations that store consumers’ sensitive data notify consumers if that data is breached. Senate bill 139 would require “Federal agencies, and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information.” The language in the bill is quite similar to that in existing state notification bills, including the landmark California Senate bill 1386.

There are several significant sections in S. 139, also known as the Data Breach Notification Act, which was introduced by Dianne Feinstein of California. Most importantly, federal agencies and other organizations subject to the bill would not have to disclose a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless.

Also, the Data Breach Notification Act would grant an exemption for data that “was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.”

That is a very broad exemption that could become a sticking point as the bill moves along. The terms “access controls” and “other such mechanisms” encompass a huge number of technologies.

The other breach-notification bill, known as the Personal Data Privacy and Security Act, deals more with federal law and potential punishment than with breaches themselves. The bill, sponsored by Patrick Leahy of Vermont, would establish a fine and a jail term of up to five years for failing to disclose a breach when required.

Suggested articles

Discussion

  • Michael Argast on

    One of the nice things in this particular bill is the need to inform not only the media and law enforcement, but also credit reporting agencies. When Schwarzenegger recently vetoed the most recent bill to pass the California legislature, he made a comment about not wanting the Atourney General's office to be responsible for aggregating data - but we need someone to. If citizens don't have easily accessible information on how their data is being handled, they can't make rational choices - key for a free economy to work.

    My colleague Chet blogged about the Schwarzenegger story here:

    http://www.sophos.com/blogs/chetw/g/2009/10/19/schwarzenegger-denies-consumers-knowledge-stolen-data/

    Hopefully the Senate passes this bill and it makes it into law - the US could definitely benefit from nation-wide data breach laws.

    Michael Argast, Security Analyst, Sophos

  • Dennis Fisher on

    Couldn't agree more, Michael. S.139 looks like a winner in many respects, aside from that really broad exemption language. I'd guess that will be adjusted before this ever gets to a final vote on the Senate floor.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.