Companies that suffer a data breach would be required to notify the federal government, law enforcement and consumers if a bill introduced this week by US Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) is signed into law.
Forty-nine states and territories have laws forcing companies to disclose news of data breaches, but the Data Security Act of 2011 would make the disclosure a federal requirement as well.
The proposed legislation would impact retailers who collect consumers’ credit-card information, data companies that collect private information, and government agencies that maintain nonpublic personal information, according to a statement from Carper’s office. The text of the bill was not immediately available.
Companies affected by a data breach would be required to alert national consumer-reporting agencies if a breach affects more than 5,000 consumers, as well federal regulatory agencies, law enforcement and impacted consumers.
“We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country,” Carper said in a statement. “This comprehensive approach will better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud.”
The bill introduced by Carper and Blunt is the second Senate bill introduced in as many weeks that would implement a federal requirement for companies to notify consumers after a data breach. US Sen. Dianne Feinstein’s (D-Calif.) Data Breach Notification Act of 2011, introduced July 22, calls for “any business entity that engages in interstate commerce” and accesses or collects consumers’ personally identifiable information to notify affected consumers “without unreasonable delay.” The bill includes a provision for companies to delay notification in order to realize the scope of a breach and “restore the reasonable integrity of the data system.”
“It is past time for Congress to pass a national breach notification standard to ensure that consumers are notified when their information is exposed so they can take the necessary steps to protect themselves,” Feinstein said in a statement.
Meanwhile, US Rep. Mary Bono Mack (R-Calif.) unveiled the Security and Fortify Electronic Data Act on July 18 that would explicitly require companies to notify affected consumers within 48 hours of identifying the scope of a data. The bill would provide exceptions if “the breach of security presents no reasonable risk of identity theft, fraud or other unlawful conduct affecting such individuals.”
US Sen. Patrick Leahy’s (D-Vt.) Personal Data Privacy and Security Act of 2011, introduced June 7, would subject companies required by law to disclose data breaches to fines or imprisonment if they do not comply. It would also require third-party companies that collect consumers’ data to give a consumer, in exchange for a fee, all personal electronic information on the individual that has been compiled by the company.
Email marketing vendor Epsilon experienced a security breach in March that exposed the names and email information stored in about 2% of its clients’ customer databases. Impacted companies included JPMorgan Chase & Co., Walgreens Co., Best Buy, Ameriprise Financial and TiVo.
Sony Corp. reported a similar data breach in May that impacted about 100 million consumers, and Citigroup said in June that hackers had accessed 1% of its Citi North America bank card accounts.
