Federal data breach legislation stalls

Bills that would strengthen notifcation laws in data breaches have stalled in Congress. Meanwhile, California -- which enacted the nation’s first data breach notification law in 2002 -- has passed its own legislation strengthening and clarifying requirements for notifying individuals when personal information has been compromised.

In Washington, D.C, legislation is pending in both houses of Congress that would replace the current patchwork of 47 state laws for informing consumers when they are at risk of identity theft and other fraud. A House subcommittee passed a bill in July, but full committee has not acted on it and the chances of both houses agreeing on a bill in the face of what is becoming a two-year election season appear slim.

The theft or accidental exposure of sensitive personal information is not restricted to digital data, but the growing use of online commerce and the networking of business systems have made IT data breaches a high-profile concern. According to the Federal Trade Commission, identity theft was the No. 1 complaint category for 2009, the last year for which figures are available, accounting for 21 percent of all complaints.

Related stories:

Under cybersecurity plan, agencies would answer to DHS

Task force wants voluntary cybersecurity code for online businesses

California has required since 2002 that businesses in that state notify state residents if their unencrypted data has been exposed, but the details of the notification were not specified. Senate Bill 24, passed by both houses of the California legislature in August, specifies the information that must be given to possible victims of a data breach and also requires that the attorney general also be notified in cases when more than 500 individuals have been affected.

The notifications must be in plain language and include contacts for additional information, as well as specify the information exposed, when the breach occurred and give a description of the breach. Contact information for credit bureaus also must be provided. Individual contact is required for incidents involving information on fewer than 500,000 persons, but for larger breaches and when the cost of notification would exceed $250,000, notification is allowed through prominent notice on Web sites and through the news media.

One of the key drivers for passing a federal notification law would be to establish national standards that would replace the 47 state laws that businesses now must comply with. But federal preemption of state laws is controversial because state requirements are sometimes more strict than federal proposals, and many privacy advocates would prefer to keep stricter state provisions on the books.

The Electronic Privacy Information Center objects to the bill recently acted on by the House Commerce subcommittee, saying it preempts stronger state law without adequately protecting information.

The bill, H.R. 2577, Secure and Fortify Electronic Data Act, in addition to requiring notification of individuals within 45 days, or “as promptly as possible,” also requires organizations holding personal information to establish policies for handling and protecting it, while taking into consideration the complexity and expense of implementing safeguards. Plans to minimize the amount of personal information maintained also are required.

In the Senate, Sen. Patrick Leahy (D-Vt.) has introduced S.1011, the Electronic Communications Privacy Act Amendments Act of 2011, and has introduced similar legislation in the last three sessions of Congress without success.


About the Author

William Jackson is a Maryland-based freelance writer.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group