The 100-page measure, introduced by Sen. Richard Blumenthal, D-Conn., and called the Personal Data Protection and Breach Accountability Act of 2011, would require businesses with data of more than 10,000 customers to implement privacy and security programs to ensure the information is protected. As part of such programs, businesses would be required to conduct risk assessments and regularly test key controls and systems.
“My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur, and by holding entities accountable when consumers' personally-identifiable information is compromised,” Blumenthal said in a news release.
The bill would create a federal data breach notification rule, requiring businesses that collect personal information to notify customers “without unreasonable delay” if their data has been breached, according to the bill. Breached entities would be required to offer victims two years of free credit monitoring services.
Companies that violate the law would be subject to hefty fines. The Department of Justice would be able to fine violators $5,000 per infraction each day, up to $20 million for each violation. Additionally, consumers affected by violations of the law would be able to file civil actions against the firm in question.
The bill is just one of several introduced this year in Congress dealing with privacy issues.
“It's apparent that Congress is increasingly concerned about privacy issues,” Trevor Hughes, president and CEO of the nonprofit International Association of Privacy Professionals (IAPP), told SCMagazineUS.com on Monday.
Privacy bills traditionally have focused on the principles of notice and choice, aiming to give consumers options about how their data is used, Hughes said. Blumenthal's bill, however, focuses on the principle of accountability by holding businesses responsible for appropriately managing data.
“That development might be well received by many in the privacy community,” he said.
A law that “harmonized” the patchwork of existing state privacy and data security requirements would likely be helpful to businesses and widely supported, Andy Serwin, chair of the privacy practice at Foley and Lardner, a Milwaukee-based law firm, told SCMagazineUS.com on Monday.
“If we are going to have comprehensive legislation at the federal level, careful thought would need to be given on how that integrates with what states have already done,” Serwin said.
The bill was referred to the Senate Judiciary Committee for review.