Undeterred, two senators will try again to get their colleagues to enact legislation that they contend would better safeguard sensitive information and notify consumers of a data breach when personally identifiable information is exposed.
Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo., couldn't get a floor vote for their legislation in the last Congress, but on Jan. 15 introduced a new version of the bill - the Data Security Act of 2014 - that would require financial institutions, retailers, governments and other organizations to better protect sensitive information, investigate security breaches and notify consumers when a substantial risk exists of identity theft or account fraud.
Carper, in introducing the bill, cites the recent breaches of retailers Target and Neiman Marcus as reminders that these incidents are becoming routine (see Retail Breaches: Who's Next?). "We cannot allow technology advances to outpace the security measures in place to safeguard the transactions we conduct in person and online," he says.
Requirements in the bill would apply to businesses that take credit or debit card information, data brokers that compile private information and government agencies that possess nonpublic personal information.
Nationalizing Breach Notification
The Data Security Act, if enacted, would replace the existing patchwork of 46 state laws by establishing one set of national standards. The bill's sponsors say inconsistent and conflicting state-by-state standards force public and private entities to comply with multiple regulations, leaving many consumers in a confusing web of regulation depending on the state.
The bill also would require business and government agencies to investigate the scope of the breach, the type of information compromised or potentially compromised and determine whether the information will likely be used to cause an individual harm or bank fraud. If it's determined that the compromise would cause harm, the targeted organization must notify all consumers affected by the breach, as well as the appropriate federal government regulatory agency, law enforcement and national consumer reporting agencies if the breach affects over 5,000 consumers.
The sponsors say the Data Security Act is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999. Those provisions require financial institutions to ensure the security and confidentiality of customer information, protect against anticipated threats to the integrity of sensitive records and safeguard against unauthorized access to information that could result in substantial harm to any customer.
Earlier this month, Sen. Patrick Leahy, D-Vt., introduced for the fifth time the Personal Data Privacy and Security Act, comprehensive legislation that also would nationalize data breach notification under a single law. Leahy's bill is more comprehensive than the Carper and Blunt measure and provides tough criminal penalties for those who intentionally conceal a data breach when it causes economic damage to consumers.
One indication on how hard it is to pass data security and breach notification legislation is the way Congress handles the various bills. Different lawmakers have their own priorities, which can conflict with their colleagues' agenda. This is manifested in various committees claiming oversight on the same or similar issue. Leahy's bill, for instance, is being considered by the Senate Judiciary Committee, which he chairs. However, the Carper-Blunt bill has been assigned to the Senate Banking, Housing and Urban Affairs Committee. Another data breach bill, sponsored by Sen. Pat Toomey, R-Pa., was referred to the Senate Commerce Committee. "The path to legislation is complicated," says Peter Swire, senior fellow at the Future of Privacy Forum, a Washington think tank advocating responsible data practices (see Why U.S. Breach Notice Bill Won't Pass).
Carper and Blunt introduced their bill days after lawmakers in Kentucky introduced legislation that would make the Bluegrass State the 47th state to enact a data breach notification law (see Ky. Lawmakers Unveil Breach Notification Bill). The Kentucky bill would not apply to privately owned and operated enterprises.
The legislation also comes a week after Congressional auditors issued a report that says eight federal agencies they examined showed inconsistent response to computer breaches involving personally identifiable information (see Agencies Uneven in PII Breach Response).