Senator Pat Toomey, Republican from Pennsylvania, and four other Republicans have introduced Senate Bill 3333, the Data Security and Breach Notification Act of 2012.
This is at least the fourth attempt at passing national legislation in the US to consolidate the more than 40 different state laws currently in place. A single law will simplify compliance and ensure a more uniform notification process when a breach occurs.
This year’s attempt is a bit more watered down and less specific than the version President Obama proposed in 2011, but it would still be a big improvement if it can be passed in this congressional session.
Essentially the law states that organizations that have personal information on individuals in electronic form that suffer a breach that may have exposed that information to unauthorized parties are required to notify victims who are residents or citizens of the United States.
If the breach impacts 10,000 or more people the organization will also be required to notify the FBI or the US Secret Service. Law enforcement agencies can request, in writing, that the organization delay notification if doing so might compromise a criminal investigation or have an impact on national security.
No specific guidance in given as to how quickly notification should be provided other than “as expeditiously as practicable and without unreasonable delay”.
Notification should be made by postal mail, telephone or email unless the victims contact details are unavailable. In that case organizations can post “a conspicuous notice on the Internet website of the covered entity” or provide notice via print, radio and television in the areas where victims may be located.
The Federal Trade Commission (FTC) would be responsible for enforcement and penalties under the act and fines are limited to $500,000 per incident.
What is considered to be personal information?
- Social Security Numbers
- Drivers license numbers
- Passport numbers
- Military ID numbers
- Government issued identification numbers
- Financial account numbers
- Credit or debit card numbers
- Any required security codes, access codes or passwords necessary to access financial accounts
The only material exclusions relate to information that is already published publicly by Federal, State or local governments or other widely distributed media.
As a privacy advocate I wish this bill had more teeth and covered more types of data, but the current situation in the US is a real mess, so this is still a welcome improvement.
Perhaps the upcoming election will motivate Congress to pass some legislation that helps the everyman and give politicians something positive to hang their hats on. I wouldn’t hold your breath, but we can hope.