US Senate proposes national data breach notification act

Filed Under: Data loss, Featured, Law & order, Privacy

Shutterstock image of SQL injectionSenator Pat Toomey, Republican from Pennsylvania, and four other Republicans have introduced Senate Bill 3333, the Data Security and Breach Notification Act of 2012.

This is at least the fourth attempt at passing national legislation in the US to consolidate the more than 40 different state laws currently in place. A single law will simplify compliance and ensure a more uniform notification process when a breach occurs.

This year's attempt is a bit more watered down and less specific than the version President Obama proposed in 2011, but it would still be a big improvement if it can be passed in this congressional session.

Essentially the law states that organizations that have personal information on individuals in electronic form that suffer a breach that may have exposed that information to unauthorized parties are required to notify victims who are residents or citizens of the United States.

If the breach impacts 10,000 or more people the organization will also be required to notify the FBI or the US Secret Service. Law enforcement agencies can request, in writing, that the organization delay notification if doing so might compromise a criminal investigation or have an impact on national security.

No specific guidance in given as to how quickly notification should be provided other than "as expeditiously as practicable and without unreasonable delay".

Notification should be made by postal mail, telephone or email unless the victims contact details are unavailable. In that case organizations can post "a conspicuous notice on the Internet website of the covered entity" or provide notice via print, radio and television in the areas where victims may be located.

The Federal Trade Commission (FTC) would be responsible for enforcement and penalties under the act and fines are limited to $500,000 per incident.

What is considered to be personal information?

Shutterstock image of Personal Data key

  • Social Security Numbers
  • Drivers license numbers
  • Passport numbers
  • Military ID numbers
  • Government issued identification numbers
  • Financial account numbers
  • Credit or debit card numbers
  • Any required security codes, access codes or passwords necessary to access financial accounts

The only material exclusions relate to information that is already published publicly by Federal, State or local governments or other widely distributed media.

As a privacy advocate I wish this bill had more teeth and covered more types of data, but the current situation in the US is a real mess, so this is still a welcome improvement.

Perhaps the upcoming election will motivate Congress to pass some legislation that helps the everyman and give politicians something positive to hang their hats on. I wouldn't hold your breath, but we can hope.

SQL injection and Personal Data key images courtesy of Shutterstock.

, , , , , ,

You might like

3 Responses to US Senate proposes national data breach notification act

  1. Dissent · 787 days ago

    How can this possibly be considered any kind of improvement when the bill would override much stronger state laws? Residents of California, Massachusetts, and any state where there is greater protection should fight this bill.

    Note that the trigger for this bill is not just access but acquisition AND the covered entity must reasonably believe that the individuals have been or will be harmed - where harm is defined only as ID theft or other *financial* harm.

    So all the 170,000 people who had their details (but not CCN) stolen and their private chats dumped on the Internet in the MilitarySingles.com hack would not have to be notified.

    And any university that had a laptop with 500,000 SSN stolen wouldn't have to notify those affected if they *believed* that it was just an opportunistic theft for the hardware?

    No, I don't like this bill at all.

  2. Joe-Bob Wang · 786 days ago

    If this bill requires all businesses to notify U.S. citizens in the event of a security breach, then that would require all businesses to determine whether their customers are U.S. citizens.

    That ITSELF sounds like yet another privacy intrusion. (sigh)

    No doubt the Republican buffoons behind this new bad joke are as well-intentioned as their Democratic counterparts...and equally inept. Once again, the political system proves itself to be a fiasco from hell...creating more of the very same problems it fails to solve.

  3. roy jones jr · 780 days ago

    Chester is right. The bill should have more teeth. Only 10,000? Why not a lower number?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.