On December 8, 2009 the House of Representatives passed the ‘Data Accountability and Trust Act’, a national data breach notification bill. Currently there are 45 states that maintain their own data breach laws with the exception of New Mexico, Mississippi, Kentucky, Alabama and South Dakota. The passing of this bill would provide a commonality amongst states for regulating the handling of data security breaches. The Federal Trade Commission (FTC) would regulate these rules; however, organizations that do not fall under the jurisdiction of the FTC would not be required to notify breach victims.

 

            This bill is not the first of its kind to be introduced to Congress. Two federal data security laws have been previously cleared by the U.S. Senate Judiciary Committee, but have not been passed by the House. As Rep. Bobby Rush stated, “For the past five years, the Privacy Rights Clearinghouse contends that nearly 340 million records containing sensitive personal information have been involved in security breaches.” It is certainly high-time that our government institutes a national federal policy that institutes the same comprehensive requirements for handling data security breaches in all states.

 

            Under the new proposed bill, the term ‘personal information’ is defined as, “an individual’s first name or initial and last name, or address, or phone number in combination with either an individual’s Social Security Number, driver’s license number/state identification number, financial account number, credit or debit card number along with access code needed to access individual’s financial account.” If it was found that a data security breach occurred, companies would be required to offer to each individual affected free credit monitoring for two years. A breach would not have to be reported if the company can ascertain that there was “no reasonable risk of identity theft, fraud, or other unlawful conduct.”

 

            Penalties imposed for violating these laws can be sizeable. For breach of notification requirements, penalties are calculated by multiplying the number of violations by an amount not greater than $11,000.00. Each notification failure is handled as a separate violation, with a maximum civil penalty of $5,000,000.00. 

 

            Unfortunately, it may be some time before we see this bill enacted, as the two bills that were previously proposed have yet to be reviewed. Until such time, States will have to continue regulating their own separate data security breach policies.