House passes bill to require data breach notifications

Legislation would set national standards for notifying potential victims of identity theft

The House has passed a bill that would set nationwide rules for notifying potential victims of identify theft when their personal information that’s stored electronically is improperly exposed.

Under the legislation, companies that hold people’s personal data would be required to notify the affected people who are U.S. citizens and residents and the Federal Trade Commission if people are put at risk by a security breach to a system that holds the electronic data. The House approved the measure on Dec. 8 that was introduced in April by Rep. Bobby Rush (D-Ill.) 

The national requirements would preempt related state information security laws. Supporters of a national notification requirement say a federal mandate could simplify a complex patchwork of state laws that have been passed without a federal mandate.

The bill defines personal information as a person’s first name or initial and last name or address or phone number in combination with a number on a person’s government issued identification document such as a social security number, driver’s license number, passport, military identification number, or a financial account number with access information.

Generally, notification would have to happen in 60 days of the discovery of the problem. The legislation would apply to entities under the jurisdiction of the Federal Trade Commission (FTC).

However, covered people or companies would be exempt from the notification requirements if they determine that there is no “reasonable risk of identity theft, fraud, or other unlawful conduct.” Meanwhile, if electronic data is made unusable, unreadable or indecipherable by encryption, the presumption under the law would be that there was no reasonable risk after a security breach.

In general, the bill would require the FTC to:

  • Put in place regulations to require businesses to protect personal information they hold.
  • Identify security methodologies or technologies that render electronic data unusable.
  • Post data breach notices on the commission's Web site if that would be a benefit to the public.
  • Conduct a study on the practicality of issuing breach notices in languages other than English.

In general, information brokers, or companies whose business is to collect information on people who aren’t current or former customers, would have to:

  • Give the FTC copies of its security policies if a data breach happens.
  • Let the FTC audit its information security practices if a breach happens.
  • Establish reasonable procedures to assure the data the business collects, in general, is as accurate as possible.
  • Upon request, let people have access to their personal data that is being maintained.
  • When requested to do so in writing correct legitimate inaccuracies in data being held.

The bill is now in the Senate. In a separate development, in November the Senate Judiciary Committee approved two bills that would impose data breach notification requirements on businesses.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.