Federal data breach legislation stalls

Bills that would strengthen notifcation laws in data breaches have stalled in Congress. Meanwhile, California -- which enacted the nation’s first data breach notification law in 2002 -- has passed its own legislation strengthening and clarifying requirements for notifying individuals when personal information has been compromised.

In Washington, D.C, legislation is pending in both houses of Congress that would replace the current patchwork of 47 state laws for informing consumers when they are at risk of identity theft and other fraud. A House subcommittee passed a bill in July, but full committee has not acted on it and the chances of both houses agreeing on a bill in the face of what is becoming a two-year election season appear slim.

The theft or accidental exposure of sensitive personal information is not restricted to digital data, but the growing use of online commerce and the networking of business systems have made IT data breaches a high-profile concern. According to the Federal Trade Commission, identity theft was the No. 1 complaint category for 2009, the last year for which figures are available, accounting for 21 percent of all complaints.

Related stories:

Under cybersecurity plan, agencies would answer to DHS

Task force wants voluntary cybersecurity code for online businesses

California has required since 2002 that businesses in that state notify state residents if their unencrypted data has been exposed, but the details of the notification were not specified. Senate Bill 24, passed by both houses of the California legislature in August, specifies the information that must be given to possible victims of a data breach and also requires that the attorney general also be notified in cases when more than 500 individuals have been affected.

The notifications must be in plain language and include contacts for additional information, as well as specify the information exposed, when the breach occurred and give a description of the breach. Contact information for credit bureaus also must be provided. Individual contact is required for incidents involving information on fewer than 500,000 persons, but for larger breaches and when the cost of notification would exceed $250,000, notification is allowed through prominent notice on Web sites and through the news media.

One of the key drivers for passing a federal notification law would be to establish national standards that would replace the 47 state laws that businesses now must comply with. But federal preemption of state laws is controversial because state requirements are sometimes more strict than federal proposals, and many privacy advocates would prefer to keep stricter state provisions on the books.

The Electronic Privacy Information Center objects to the bill recently acted on by the House Commerce subcommittee, saying it preempts stronger state law without adequately protecting information.

The bill, H.R. 2577, Secure and Fortify Electronic Data Act, in addition to requiring notification of individuals within 45 days, or “as promptly as possible,” also requires organizations holding personal information to establish policies for handling and protecting it, while taking into consideration the complexity and expense of implementing safeguards. Plans to minimize the amount of personal information maintained also are required.

In the Senate, Sen. Patrick Leahy (D-Vt.) has introduced S.1011, the Electronic Communications Privacy Act Amendments Act of 2011, and has introduced similar legislation in the last three sessions of Congress without success.