House passes bill to require data breach notifications

Legislation would set national standards for notifying potential victims of identity theft

The House has passed a bill that would set nationwide rules for notifying potential victims of identify theft when their personal information that’s stored electronically is improperly exposed.

Under the legislation, companies that hold people’s personal data would be required to notify the affected people who are U.S. citizens and residents and the Federal Trade Commission if people are put at risk by a security breach to a system that holds the electronic data. The House approved the measure on Dec. 8 that was introduced in April by Rep. Bobby Rush (D-Ill.) 

The national requirements would preempt related state information security laws. Supporters of a national notification requirement say a federal mandate could simplify a complex patchwork of state laws that have been passed without a federal mandate.

The bill defines personal information as a person’s first name or initial and last name or address or phone number in combination with a number on a person’s government issued identification document such as a social security number, driver’s license number, passport, military identification number, or a financial account number with access information.

Generally, notification would have to happen in 60 days of the discovery of the problem. The legislation would apply to entities under the jurisdiction of the Federal Trade Commission (FTC).

However, covered people or companies would be exempt from the notification requirements if they determine that there is no “reasonable risk of identity theft, fraud, or other unlawful conduct.” Meanwhile, if electronic data is made unusable, unreadable or indecipherable by encryption, the presumption under the law would be that there was no reasonable risk after a security breach.

In general, the bill would require the FTC to:

  • Put in place regulations to require businesses to protect personal information they hold.
  • Identify security methodologies or technologies that render electronic data unusable.
  • Post data breach notices on the commission's Web site if that would be a benefit to the public.
  • Conduct a study on the practicality of issuing breach notices in languages other than English.

In general, information brokers, or companies whose business is to collect information on people who aren’t current or former customers, would have to:

  • Give the FTC copies of its security policies if a data breach happens.
  • Let the FTC audit its information security practices if a breach happens.
  • Establish reasonable procedures to assure the data the business collects, in general, is as accurate as possible.
  • Upon request, let people have access to their personal data that is being maintained.
  • When requested to do so in writing correct legitimate inaccuracies in data being held.

The bill is now in the Senate. In a separate development, in November the Senate Judiciary Committee approved two bills that would impose data breach notification requirements on businesses.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.