Breach Notification , Governance & Risk Management , Incident & Breach Response

National Breach Notification Bill Advances

Amendments to Keep Some State Safeguards Rejected
National Breach Notification Bill Advances
Rep. Peter Welch, D-Vt., is a sponsor of the bill.
Efforts by some Democratic members of a House subcommittee to amend a national data breach notification bill so that states could retain tougher data security requirements have failed.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

After voting down Democratic-sponsored amendments, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade approved March 25 the Data Security and Breach Notification Act of 2015, moving the legislation to create a national standard for data breach notification one step closer to a House vote (see: Barriers to a Breach Notification Law). The measure's next stop is the full Energy and Commerce Committee.

Sponsors of the measure are Reps. Marsha Blackburn, R-Tenn., and Peter Welch, D-Vt. (see: Seeking Compromise on Data Breach Notice Bill).

The legislation, if enacted, would usurp the breach notification laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C. - in favor of a single federal statute. It also would pre-empt provisions in the laws of some states that define specific security measures companies must take to safeguard the personally identifiable information of consumers. The federal notification bill would only require businesses and other organizations to implement and maintain "reasonable security measures and practices" to secure personal information.

One of the amendments rejected by the committee would have allowed states to define specific security measures.

"The [bill] eliminates state data security laws with an unclear standard that surely will be litigated and left to judicial interpretation," said Rep. Frank Pallone, the New Jersey Democrat who is the full committee's ranking member.

Welch, one of the bill's sponsors, pointed out that states weren't shut out of the legislation because their attorneys general, along with the Federal Trade Commission, would enforce a national data breach notification law.

Notification Requirements

The bill would require consumer notification no later than 30 days after the organization has taken "necessary measures" to determine the scope of the breach and restored the reasonable integrity, security and confidentiality of the data systems.

Each violation of the proposed law would be subject to a fine of up to $2.5 million. Organizations that must comply with the Health Insurance Portability and Accountability Act's breach notification requirements would be exempt from compliance.

The measure would require organizations to conduct a good faith investigation after discovering a breach to determine if there is a reasonable risk of identity theft, economic loss or harm, or financial fraud.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.