Congress Considers Security Breach and Data Security Bills
Last week, the Senate's Commerce, Science and Transportation Committee unanimously approved an identity theft bill, entitled the "Identity Theft Protection Act of 2005" (S. 1408), designed to "set[] national standards to safeguard individual personal information, to notify consumers of data breaches, to require businesses to improve their safeguards for sensitive consumer information, to give consumers the right to freeze their credit reports to thwart identity theft, and to limit the solicitation of social security numbers by commercial entities." If enacted, the bill would authorize the Federal Trade Commission to specify "physical and technological safeguards" that business and other entities that collect personal information would be required to put in place.
Further, the bill provides that if a breach occurs, and "there is a reasonable risk that the information could be used for identity theft," the affected consumers must be notified (for larger breaches, the entity must report the breach to the FTC). Failure to notify consumers or the FTC can lead to fines of up to $11,000 per individual consumer (with a cap of $11 million per breach).
The bill would pre-empt state statutes to "create more uniform and efficient compliance".
The Senate Judiciary Committee did not vote on Thursday, as expected, on the wide-ranging Personal Data Privacy and Security Act, which would impose criminal penalties on data theft.
In the House of Representatives, the Subcommittee on Commerce, Trade and Consumer Protection of the Energy and Commerce Committee held a hearing on data protection legislation, and announced that it intends to introduce a data security bill in September.
Posted by Lance Koonce