Updated Thursday, Dec. 10, 2009 at 4:51 p.m. EST
A national data breach notification bill was passed in the U.S. House of Representatives on Tuesday.
The Data Accountability and Trust Act would require any organization that experiences a breach of electronic data containing personal information to notify all U.S. individuals whose information is breached. The law requires that the Federal Trade Commission to also be notified.
In addition, organizations would be required to designate an information security officer and establish a data security policy. The policy would have to address the collection of personal information and include a process for identifying and correcting system vulnerabilities and disposing electronic data.
A federal law is needed to replace the “patchwork quilt” of variousstate data breach notification laws, Shannon Kellogg, director ofinformation security policy at EMC,told SCMagazineUS.com on Thursday.
“Organizations large andsmall have to comply with all the different state laws and spend a lotof time and energy to do that when those same organizations could bespending that time addressing the range of information security risksand threats,” Kellogg said. “Let's get rid of this complexity andestablish reasonable federal standards for organizations to complywith.”
The bill was introduced April 30 by Rep. Bobby Rush D-Ill., chairman of the House Subcommittee on Commerce, Trade and Consumer Protection. Next, it will go to the Senate for a vote.
“For the past five years, the Privacy Rights Clearinghouse contends that nearly 340 million records containing sensitive personal information have been involved in security breaches,” Rush said Tuesday on the House floor. “However, there is no comprehensive federal law that requires all companies that hold consumers' personal information to implement reasonable measures to protect that data. Also, there is no federal law that requires companies that experience a data breach to provide notice to those consumers whose personal information was compromised.”
There have been a number of similar bills recently introduced in Congress, including two federal data security laws, which have cleared the U.S. Senate Judiciary Committee. None, however, have previously passed a vote on the House floor.“The ball is in the Senate's court,” Kellogg said. "There will need to be some work in the Senate to bring together different proposals to move this legislation forward. Hopefully we can finally see a federal law.”
Under the bill, personal information is defined as, “an individual's first name or initial and last name, or address, or phone number,” along with at least one of the following: Social Security number; driver's license number or other state identification number; financial account number, credit or debit card number, along with the security/access code or password needed to access the financial account."
Breaches would not have to be reported if the organization has determined that “there is no reasonable risk of identity theft, fraud, or other unlawful conduct,” the bill states. Also, the bill provides an exemption if the breached information was encrypted or protected by any other technologies that the FTC identifies would render data unreadable.
Requirements around the timeliness and content of data breach notifications are included in the bill. Breached organizations would be required to promptly send out notifications after discovering the data-loss incident, determining the scope of the breach and taking measures to prevent any additional data loss. Notifications would have to include a description of the personal information that was breached, along with a telephone number that victims can call to learn more information. Organizations would also be required to offer free credit monitoring services for victims for two years.
The bill includes a requirement for breaches that occurred by a third party contracted to maintain or process electronic data on behalf of an organization. In this case, the third party would be required to notify the organization, which would have to notify victims.The act would be enforced by the FTC, the bill states. Also, the FTC would be required to place a notice on its website about breaches that would be of public interest. Organizations that do not fall under the FTC's jurisdiction are not required to notify breach victims.
“The jurisdiction point is significant,” according a blog post Wednesday from the Open Security Foundation, a volunteer organization that tracks data breaches and provides data security information. “The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and nonprofits, which include colleges and universities. These limitations seem significant.”