Senate Panel OKs National Breach Notification Bill

Republicans Contend Legislation Could Be Burden on Business
Senate Panel OKs National Breach Notification Bill
Breach notification laws in most states would be preempted if legislation approved by the Senate Judiciary Committee Thursday becomes law. But that's a big if, at least as it now stands.

The 10 Democrats and eight Republicans on the committee split along party lines in approving the three different, but related measures, with overlapping provisions, aimed at strengthening privacy protection and nationalizing breach notification.

It was the fourth time in as many Congresses that one of the bills - the Personal Data Privacy and Security Act - passed the Judiciary Committee. If the 10-8 party-line vote is any indication, it might be the fourth time in as many Congresses that the bill will not become law as well, because of objections by Republicans, who could hold up votes in the Senate and maintain a majority in the House of Representatives.

The other bills approved by the committee Thursday were the Data Breach Notification Act and the Personal Data Protection and Breach Accountability Act.

Sen. Charles Grassley, the Iowa Republican who's the committee's ranking member, contends the legislation would burden businesses with more regulation. "Under this bill, we may end up with more burdensome regulations, small businesses forced into bankruptcy, jobs lost and consumers still going unprotected because the over-notifications will be ignored," Grassley said in a statement prior to the vote.

Senate Judiciary Committee Chairman Patrick Leahy, the Vermont Democrat who sponsored one of the bills, expressed disappointment that no Republican supported the measures, noting that in past years, the privacy legislation received bipartisan support.

Though the committee approved some Republican amendments - such as providing a three-year mandatory prison term - sentences could reach a maximum of 20 years - for those convicted of fraud under the legislation's criminal provisions, which Leahy opposed - other amendments the GOP sponsored were defeated, such one that would have banned the use of contingency fees by states attorneys general to help pay for legal suits brought against alleged violators in federal court.

Among the legislation's key provisions:

  • Require businesses that maintain personally identifiable information on 10,000 or more Americans to develop a personal data privacy and security program to regularly assess, manage and control risks; provide employee training; conduct tests to identify system vulnerabilities; ensure that overseas service providers retained to handle personally identifiable information take reasonable steps to secure that data; and periodically assess its data privacy and security program to ensure that the program addresses current threats.
  • Notify individuals of a breach within 60 days by telephone or e-mail, if the user so designates, unless the organization can prove the hack did not cause much harm. Exceptions are provided in cases that notification could threaten a criminal investigation.
  • Preempts state laws on breach notification, with the exception of state laws that provide consumers with information about victim protection assistance that maybe be available to consumers in a particular state. Because the breach notification requirements in the bill do not apply to state and local governments, this provision does not to preempt state or local laws regarding their obligations to provide notice of a data breach.
  • Requires breached organizations to post a media notice and alert credit reporting agencies if the hack involves 5,000 or more individuals.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.