Data Security and Breach Notification Act would require businesses and nonprofits to adopt security practices that protect stored information from unauthorized access.
Members of a Senate subcommittee said they hope the third time is the charm for passing a bill that would require businesses to install information security controls to protect consumers' personal data and notify them when the information has been compromised.
The Senate's Consumer Protection, Product Safety and Insurance Subcommittee on Wednesday held a hearing to consider for the third time the 2010 Data Security and Breach Notification Act. John Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, and Mark Pryor, D-Ark., subcommittee chairman, introduced the bill.
"Both times the Senate has failed to take [the measure] up on the floor. I fully intend to report this bill out of the Commerce committee in next week's markup, and it is my sincere hope that this time -- the third time -- is the charm," Rockefeller said during his opening remarks. The House passed a companion bill by voice vote in December 2009.
The bill would require businesses and nonprofit organizations that maintain large consumer databases to adopt security practices that protect stored information from unauthorized access. It also requires organizations to notify consumers when a security breach results in the possible exposure of their personal information.
Organizations also would be required to inform customers when their data is collected by information brokers for sale to third parties and to give them the opportunity to correct inaccuracies.
Requiring government and businesses to follow reasonable security measures and risk assessments to protect consumer information is essential for mitigating data breaches, most of which are caused by company employees who inadvertently violate policies, Mark Bregman, chief technology officer for security vendor Symantec, said during testimony.
"Other breaches are the result of targeted attacks by organized crime, which are increasingly aimed at stealing information for the purpose of identity theft," he said. "Such attacks are often automated by using malicious code that can penetrate into an organization undetected and export data to remote hacker sites."
Organizations should encrypt sensitive information stored in databases and on hard drives to make it harder to steal, Bregman said.
The Federal Trade Commission supports the bill, but recommended the requirement to notify customers of a security breach not be limited to electronic information, "because the breach of sensitive data stored in paper format can be just as harmful to consumers," Maneesha Mithal, FCC's associate director of the privacy and identity protection division, said during testimony.
According to FCC, the bill also should apply to telecommunications carriers, many of which store large quantities of personal information. Small businesses should be allowed to request a waiver from providing free credit reports or credit monitoring to consumers following a breach, FCC suggested.
Currently, a patchwork of state laws dictate how organizations report disclosure of sensitive information. Forty-seven states, as well as the District of Columbia, New York City and Puerto Rico have laws, which vary widely.
"Consumers get strong protections and aggressive enforcement by states' attorneys general," Rockefeller said. "On the other hand, the bill creates national standards that facilitate interstate commerce, and the Federal Trade Commission is provided with regulatory flexibility to accommodate technical complexities and small business concerns."