A number of bills on data breaches have been sent to the US Congress for deliberation. In the future, one of them may well become a federal law, but if the current level of activity devoted to the issue is anything to go by, it could be some time from now.
It has already been 17 months since the widely-publicized data breach at ChoicePoint. Since then Congress has been “working” on the adoption of a law governing leaks of personal data. But what exactly have the politicians achieved? Nothing. There has merely been talk of what can be done in the future. In the meantime, The Privacy Rights Clearinghouse has documented data security breaches affecting almost 90 million people in the US who have had their personal information potentially exposed by unauthorized access to their data. The list is long, including Bank of America, LexisNexis, DSW, MCI, Ameritrade, Time Warner, Boeing, Ford Motor Company, Verizon, MasterCard, Wells Fargo, the American Red Cross and a host of colleges and government agencies.
While Congress has been deliberating, some states have moved to protect their citizens, with at least 34 of them passing laws on data breaches. It is obvious that such a pot-pourri of legislative acts is a hindrance for companies operating on a national scale. However, the federal bills that could rectify the situation are multiplying in Congress. Which one will become law? It is still unclear. It is quite possible that it will be a completely new bill which nobody has seen yet. Below is a summary of the bills that are currently being considered by Congress.
Security Bills in Progress BillSponsorStatusH.R. 4127 The Data Accountability and Trust Act
Requires any entity that experiences a breach of security to notify those in the U.S. whose information was acquired by an unauthorized person as a result of the breach. In addition, they must let them know that the chance of identity theft is "reasonably likely." Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified. Preempts state information security laws.
Passed House Energy and Commerce Committee in June. Awaits House vote.
H.R. 3997 The Financial Data Protection Act
Gives companies discretion in deciding whether a breach was serious enough to inform consumers. Would preempt stronger state laws. And while extending the concept of the security freeze nationwide, the bill would allow only individuals who have been victims of identity theft to freeze their records.
Passed the House Financial Services Committee in March. Awaits House vote.
H.R. 5318 Cyber-Security Enhancement and Consumer Data Protection Act
Establishes new federal crimes for improper use of personal electronic records and other criminal activity involving computers.
Passed the House Judiciary Committee in June. Awaits House vote.
S. 1789 Personal Data Privacy and Security Act
Companies must report data breaches that have a "significant risk of harm" for identity theft. The bill also would require most government agencies to notify any individuals whose information has been unlawfully accessed. It would require data brokers to provide individuals with their personally identifiable information and to change the information if it is incorrect.
Passed Senate Judiciary Committee in November 2005. Awaits Senate vote.
S. 1326 Notification of Risk to Personal Data Act
In the event of a security breach that creates a "significant risk of identity theft," companies would be required to notify all individuals whose personal information was compromised. The bill also would create civil penalties for entities that fail to provide notice of security breaches to affected individuals.
Passed Senate Judiciary Committee in October 2005. Awaits Senate vote.
S. 1408 Identity Theft Protection Act
Requires data breach disclosure to consumers if there is a reasonable risk of identity theft. Preempts state laws related to security breach notification.
Passed Senate Commerce Committee in December 2005. Awaits Senate vote.
Source: Internet News