Congress has taken up another proposed federal data breach notification law.
The Data Security Breach and Notification Act of 2012, introduced recently by Sen. Pat Toomey, R-Pa., would supersede more than 45 existing state laws to create a uniform standard for organizations to alert victims following a loss of their personal information. Supporters say a single law will simplify a hodgepodge of disparate reporting obligations that have been promulgated by the individual states.
The notification, to be delivered by email, letter or telephone call, must be completed "as expeditiously as practicable and without unreasonable delay," according to Toomey's proposed measure.
Individuals must receive information about the date of the breach, a description of what happened and a way to contact the offending organization. A breach is defined as a loss of personal information involving someone's name combined with their Social Security number or some other identifying number, or their bank account or credit card number.
The legislation, co-sponsored by Republican Sens. Roy Blunt of Missouri, Jim DeMint of South Carolina, Dean Heller of Nevada and Olympia Snowe of Maine, also requires breached entities to notify the FBI and U.S. Secret Service if the incident involves the personal records of more than 10,000 people.
Organizations that fail to comply with the law could receive fines of up to $500,000.Despite a slew of high-profile breaches that have generated immense interest from Congress, the body has tried and failed several times in the past, even after urging from the White House, to enact a national breach notification law.
Typically their efforts been hampered by disagreement over the threshold that should constitute notification, concerns from privacy advocates and opposition from some who believe the state laws provide greater protection.
William Baker, a Washington, D.C privacy and security lawyer with Wiley Rein, said he believes the trend will continue with this proposal.
"Given the disagreements between the House and the Senate, and between Democrats and Republicans, and the little time remaining in this Congress, a federal data breach notification law is unlikely to pass this year," he told SCMagazine.com Wednesday in an email.