data theft

Proposed bill would establish standards for national data security

The bill, introduced in the Senate on January 15, 2014 and cited as the Data Security Act of 2014, would require entities such as financial institutions, retailers, and federal agencies to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. The new requirements would apply to businesses that take credit or debit card information, data brokers that compile private information, and government agencies that possess nonpublic personal information.

January 23rd, 2014|Legislation|

Subcommittee approves legislation to protect consumers against data theft

On July 20, 2011, the Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved legislation to protect consumers from cyber attacks and identity theft. The Secure and Fortify Electronic Data Act (H.R. 2577), or SAFE Data Act now moves to the full Energy and Commerce Committee for consideration.

The Act would require all businesses that maintain personal information to implement security programs, which, among other mandates, would include a protocol to notify affected individuals of an information security breach. Preempting over 45 existing state information security and breach notification laws, the Act would task the Federal Trade Commission with developing the security rules.

According to its author, Chairman Bono Mack, the Act will enhance protection of personal information by establishing uniform national standards for data security and data breach notification. The preemption provision also would provide certainty for businesses in addressing information security breaches that now are subject to the multitude of state requirements.

Some legislators and advocates have criticized the proposed law as too narrow, as it would require breach notifications only when an individual’s name, telephone number or credit card number is compromised along with a Social Security number, driver’s license number or other government-issued ID. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, or biometric data alone (without the individuals name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act.

Go to Top