Legislation in Congress Pursuing Data Breach Disclosure Measures

Last couple of posts I talked about current laws and how they relate to the fourth amendment.  In this post I will talk about three bills that are working it’s way though congress. These bills are in response to the Sony/Citigroup massive data breach.  As with any legislation it is unclear if these bills will make it to the floor to be voted on and if so what their final content will be. According to govtrack.us all three bills has an 8% chance of passing.

The first bill is S. 1408: Data Breach Notification Act of 2011. (http://www.govtrack.us/congress/bills/112/s1408) This bill will require federal agencies and business that “engage in interstate commerce “ and process data containing PII to disclose any breaches. Key point of this bill is…

• A written notice of a security breach to individuals by mail, telephone, and e-mail.
• Notice to major media outlets if a security breach involves more than 5,000 individuals.
• A description of the categories of sensitive personally identifiable information acquired by an unauthorized person.
• A toll-free telephone number for contacting an agency or business entity to ascertain the types of personal information maintained by such agency or entity.
• The toll-free telephone numbers and addresses for the major credit reporting agencies. Authorizes a state to require that a notification also include information about victim protection assistance provided by that state.

The next bill is S. 1535: Personal Data Protection and Breach Accountability Act of 2011 (http://www.govtrack.us/congress/bills/112/s1535). A bill to protect consumers by mitigating the vulnerability of personally identifiable information (PII) to theft through a security breach, providing notice and remedies to consumers in the wake of such a breach, holding companies accountable for preventable breaches, facilitating the sharing of post-breach technical information between companies, and enhancing criminal and civil penalties and other protections against the unauthorized collection or use of PII.

Key points of this bill are…

• Fine businesses that willfully concealing a security breach involving sensitive personally identifiable information.
• Business must be interstate business that collects, accesses, transmits, uses, stores, or disposes of sensitive PII on 10,000 or more U.S.

The last bill is The Personal Data Privacy and Security Act of 2011 (http://www.govtrack.us/congress/bills/112/s1151). This bill tries preventing and mitigating identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information. This bill defines PII as…

• Specified combinations of data elements in electronic or digital form, such as an individual's first and last name or first initial and last name in combination with home address or telephone number, mother's maiden name, and date of birth.
• A non-truncated social security number, driver's license number, passport number, or government-issued unique identification number.
• Unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation.
• A unique account identifier.
• Any security code, access code, password, or secure code that could be used to generate such codes or passwords.