Senate Panel OKs National Breach Notification BillRepublicans Contend Legislation Could Be Burden on Business
The 10 Democrats and eight Republicans on the committee split along party lines in approving the three different, but related measures, with overlapping provisions, aimed at strengthening privacy protection and nationalizing breach notification.
It was the fourth time in as many Congresses that one of the bills - the Personal Data Privacy and Security Act - passed the Judiciary Committee. If the 10-8 party-line vote is any indication, it might be the fourth time in as many Congresses that the bill will not become law as well, because of objections by Republicans, who could hold up votes in the Senate and maintain a majority in the House of Representatives.
The other bills approved by the committee Thursday were the Data Breach Notification Act and the Personal Data Protection and Breach Accountability Act.
Sen. Charles Grassley, the Iowa Republican who's the committee's ranking member, contends the legislation would burden businesses with more regulation. "Under this bill, we may end up with more burdensome regulations, small businesses forced into bankruptcy, jobs lost and consumers still going unprotected because the over-notifications will be ignored," Grassley said in a statement prior to the vote.
Senate Judiciary Committee Chairman Patrick Leahy, the Vermont Democrat who sponsored one of the bills, expressed disappointment that no Republican supported the measures, noting that in past years, the privacy legislation received bipartisan support.
Though the committee approved some Republican amendments - such as providing a three-year mandatory prison term - sentences could reach a maximum of 20 years - for those convicted of fraud under the legislation's criminal provisions, which Leahy opposed - other amendments the GOP sponsored were defeated, such one that would have banned the use of contingency fees by states attorneys general to help pay for legal suits brought against alleged violators in federal court.
Among the legislation's key provisions:
- Require businesses that maintain personally identifiable information on 10,000 or more Americans to develop a personal data privacy and security program to regularly assess, manage and control risks; provide employee training; conduct tests to identify system vulnerabilities; ensure that overseas service providers retained to handle personally identifiable information take reasonable steps to secure that data; and periodically assess its data privacy and security program to ensure that the program addresses current threats.
- Notify individuals of a breach within 60 days by telephone or e-mail, if the user so designates, unless the organization can prove the hack did not cause much harm. Exceptions are provided in cases that notification could threaten a criminal investigation.
- Preempts state laws on breach notification, with the exception of state laws that provide consumers with information about victim protection assistance that maybe be available to consumers in a particular state. Because the breach notification requirements in the bill do not apply to state and local governments, this provision does not to preempt state or local laws regarding their obligations to provide notice of a data breach.
- Requires breached organizations to post a media notice and alert credit reporting agencies if the hack involves 5,000 or more individuals.