Rep. Tom Davis, R.-Va., reintroduced the Federal Agency Data Breach Protection Act today, which would require victims of federal data breaches to be notified in a timely manner and mandates agencies have practices and standards in place to do that.
The bill was originally introduced on Sept. 26, 2006 in the previous session of Congress, but the Senate never acted on it.
The legislation was devised following the theft last year of the Department of Veterans Affairs laptop, which contained the personal information of some 26 million veterans.
Tim Bennett, the newly appointed president of the Cyber Security Industry Alliance, said in a statement today that he was pleased the bill was reintroduced and that he hopes this will clear the way for a national breach notification law.
Such a goal seems inevitable.
Meanwhile, two national breach alert bills were approved by the Senate Judiciary Committee, although they differ in what threshold would require reporting to authorities and customers.
The Personal Data Privacy and Security Act of 2007 requires companies to report if the lost or stolen data posed "significant" risk to customers, while the Notification of Risk to Personal Data Act of 2007, introduced by Sen. Dianne Feinstein, D-Calif., names "reasonable risk" of harm as the threshold, according to a report in the Washington Post.
The former bill, sponsored by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., and Sen. Arlen Specter, R-Pa., also requires data brokers to inform the public about what information they have on file about them – and then let these individuals correct any mistakes.