House passes bill to require data breach notifications

Legislation would set national standards for notifying potential victims of identity theft

The House has passed a bill that would set nationwide rules for notifying potential victims of identify theft when their personal information that’s stored electronically is improperly exposed.

Under the legislation, companies that hold people’s personal data would be required to notify the affected people who are U.S. citizens and residents and the Federal Trade Commission if people are put at risk by a security breach to a system that holds the electronic data. The House approved the measure on Dec. 8 that was introduced in April by Rep. Bobby Rush (D-Ill.) 

The national requirements would preempt related state information security laws. Supporters of a national notification requirement say a federal mandate could simplify a complex patchwork of state laws that have been passed without a federal mandate.

The bill defines personal information as a person’s first name or initial and last name or address or phone number in combination with a number on a person’s government issued identification document such as a social security number, driver’s license number, passport, military identification number, or a financial account number with access information.

Generally, notification would have to happen in 60 days of the discovery of the problem. The legislation would apply to entities under the jurisdiction of the Federal Trade Commission (FTC).

However, covered people or companies would be exempt from the notification requirements if they determine that there is no “reasonable risk of identity theft, fraud, or other unlawful conduct.” Meanwhile, if electronic data is made unusable, unreadable or indecipherable by encryption, the presumption under the law would be that there was no reasonable risk after a security breach.

In general, the bill would require the FTC to:

  • Put in place regulations to require businesses to protect personal information they hold.
  • Identify security methodologies or technologies that render electronic data unusable.
  • Post data breach notices on the commission's Web site if that would be a benefit to the public.
  • Conduct a study on the practicality of issuing breach notices in languages other than English.

In general, information brokers, or companies whose business is to collect information on people who aren’t current or former customers, would have to:

  • Give the FTC copies of its security policies if a data breach happens.
  • Let the FTC audit its information security practices if a breach happens.
  • Establish reasonable procedures to assure the data the business collects, in general, is as accurate as possible.
  • Upon request, let people have access to their personal data that is being maintained.
  • When requested to do so in writing correct legitimate inaccuracies in data being held.

The bill is now in the Senate. In a separate development, in November the Senate Judiciary Committee approved two bills that would impose data breach notification requirements on businesses.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.