Soon after the president's call for federal data breach legislation, a senator announced that he is penning a bill that carries a 30-day notification requirement for breached entities.
The 30-day requirement, which President Obama also proposed in a Monday speech at the Federal Trade Commission (FTC), would prevail over state data security and breach notification laws, according to a draft summary of the bill sent to SCMagazine.com.
Sen. Bill Nelson, D-Fla., is in the final stages of drafting the Data Security and Breach Notification Act of 2015, a Tuesday release from the U.S. Senate Committee on Commerce, Science, and Transportation said.
A year ago, Sen. Nelson, alongside Sens. Dianne Feinstein, D-Calif., John Rockefeller, D-W.Va., and Mark Pryor, D-Ark., introduced similar legislation, but the bill failed to move forward after it was referred to the committee.
The bill, in its current form, would authorize the FTC and state attorneys general “to enforce the data security and breach notification provisions of the Act,” meaning that entities could face civil penalties levied by the FTC over “unfair or deceptive acts or practices under Section 18 of the FTC Act,” the draft summary said.
Under the law, entities would have no more than 30 days to notify consumers of a breach, if it puts them at “reasonable risk” of fraud, identity theft or “unlawful conduct as a result of the breach,” except for certain scenarios – when it is determined that the 30-day timeframe is “not feasible,” or if the FBI or Secret Service informs the organization that notification would “impede criminal investigation or national security.”
The summary later noted that, “to aid law enforcement, the bill would require covered entities to report security breaches to a federal entity to be designated by the Department of Homeland Security when the breach (1) is of certain magnitude, (2) involves databases owned by the federal government, or (3) involves information on personnel in national security or law enforcement.”
Along with a breach notification standard, the bill will also include a data security mandate, which would require entities that maintain personal information to develop a data security program.
In the legislation, “personal information” is characterized as an individual's "non-truncated" Social Security number (meaning not redacted) or financial account number, and any password or code. A combination of identifying information would also be protected under the law.