New Senate bill aims to prevent, deter data breaches

Share this article:
A bill introduced in the U.S. Senate on Thursday aims to quell the ever-increasing tide of data breaches by requiring businesses to follow guidelines for the safe storage of data and imposing large fines to violators.

The 100-page measure, introduced by Sen. Richard Blumenthal, D-Conn., and called the Personal Data Protection and Breach Accountability Act of 2011, would require businesses with data of more than 10,000 customers to implement privacy and security programs to ensure the information is protected. As part of such programs, businesses would be required to conduct risk assessments and regularly test key controls and systems.

“My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur, and by holding entities accountable when consumers' personally-identifiable information is compromised,” Blumenthal said in a news release.

The bill would create a federal data breach notification rule, requiring businesses that collect personal information to notify customers “without unreasonable delay” if their data has been breached, according to the bill. Breached entities would be required to offer victims two years of free credit monitoring services.

Companies that violate the law would be subject to hefty fines. The Department of Justice would be able to fine violators $5,000 per infraction each day, up to $20 million for each violation. Additionally, consumers affected by violations of the law would be able to file civil actions against the firm in question.

The bill is just one of several introduced this year in Congress dealing with privacy issues.

“It's apparent that Congress is increasingly concerned about privacy issues,” Trevor Hughes, president and CEO of the nonprofit International Association of Privacy Professionals (IAPP), told on Monday.

Privacy bills traditionally have focused on the principles of notice and choice, aiming to give consumers options about how their data is used, Hughes said. Blumenthal's bill, however, focuses on the principle of accountability by holding businesses responsible for appropriately managing data.

“That development might be well received by many in the privacy community,” he said.

A law that “harmonized” the patchwork of existing state privacy and data security requirements would likely be helpful to businesses and widely supported, Andy Serwin, chair of the privacy practice at Foley and Lardner, a Milwaukee-based law firm, told on Monday.

“If we are going to have comprehensive legislation at the federal level, careful thought would need to be given on how that integrates with what states have already done,” Serwin said.

The bill was referred to the Senate Judiciary Committee for review.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.