Custom Search

November 08, 2009

Possible new law on the horizon regarding data breaches?

On November 5, the Senate Judiciary Committee approved two bills regarding data security.  The first is Senator Feinstein's Data Breach Notification Act (S. 139).  The text of this proposed law can be found here - http://thomas.loc.gov/cgi-bin/query/z?c111:S.139:. 

The Data Breach Notification Act would greatly expand the amount of data combinations that, if breached, would require notification.  Currently, most laws only require notification if a name is released in conjunction with a Social Security number, driver's license number or financial account number.  If S. 139 is passed as is, it would require notification if only the first and last name, address/phone number and date of birth are stolen or inadvertantly released.  The bill would also require notification of the Department of Justice and fines up to $1000 per day per victim up to $1,000,000.

The second bill approved by the Senate Judiciary Committee was Senator Leahy's Personal Data Privacy and Security Act (S. 1490), the text of which can be found here - http://thomas.loc.gov/cgi-bin/query/z?c111:S.1490:.

Senator Leahy's bill goes beyond Senator Feinstein's in that it is styled to be proactive to prevent data breaches, rather than reactive to data breaches that have already occurred.  Think "Red Flag Rules" but with the emphasis on protecting against data breaches of any kind, rather than just recognizing and preventing identity theft.  The bill would require companies maintaining information on 10,000 or more United States persons to implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards to prevent data breaches as well as requiring employee training and vulnerability testing of the safeguards. 

I will do my best to follow these two bills and update you on their status.

No comments:

Post a Comment