National Breach Law Introduced in the Senate
Five Republican members of the U.S. Senate have introduced legislation to create a national standard for requiring companies to protect personal information in electronic form and to notify affected individuals of breaches.
Five Republican members of the U.S. Senate have introduced legislation to create a national standard for requiring companies to protect personal information in electronic form and to notify affected individuals of breaches.
The bill, S. 3333, if enacted, would preempt state laws, including laws tougher than the Senate proposal.
Provisions in the Senate bill are not particularly strong. It would require covered entities that own or license data in electronic form to take reasonable measures to protect and secure personal information, but does not define or set a standard for “reasonable measures.”
The bill would require covered entities to notify affected individuals who are known or reasonably believed to have had personal information compromised. Third-party agents are to notify covered entities of a breach, as are service providers (data network operators), and the covered entity would notify individuals.
The proposed legislation, however, does not require notification within a specific period. It calls for timeliness of notification “as expeditiously as practical and without unreasonable delay.”
The legislation sets a maximum civil penalty of $500,000 for all violations of the requirement to take reasonable measures to protect data resulting from the same related act or omission; and $500,000 for all violations of notification requirements resulting from a single breach.
The bill does not establish a private cause of action, which would give affected individuals the right to sue a person for violations of the law.
Sen. Pat Toomey (PA) introduced the bill, with cosponsors Roy Blunt (MO), Jim DeMint (SC), Dean Heller (NV) and Olympia Snowe (ME). The legislation, soon to be available at congress.gov, is before the Committee on Commerce, Science and Transportation.
The bill, S. 3333, if enacted, would preempt state laws, including laws tougher than the Senate proposal.
Provisions in the Senate bill are not particularly strong. It would require covered entities that own or license data in electronic form to take reasonable measures to protect and secure personal information, but does not define or set a standard for “reasonable measures.”
The bill would require covered entities to notify affected individuals who are known or reasonably believed to have had personal information compromised. Third-party agents are to notify covered entities of a breach, as are service providers (data network operators), and the covered entity would notify individuals.
The proposed legislation, however, does not require notification within a specific period. It calls for timeliness of notification “as expeditiously as practical and without unreasonable delay.”
The legislation sets a maximum civil penalty of $500,000 for all violations of the requirement to take reasonable measures to protect data resulting from the same related act or omission; and $500,000 for all violations of notification requirements resulting from a single breach.
The bill does not establish a private cause of action, which would give affected individuals the right to sue a person for violations of the law.
Sen. Pat Toomey (PA) introduced the bill, with cosponsors Roy Blunt (MO), Jim DeMint (SC), Dean Heller (NV) and Olympia Snowe (ME). The legislation, soon to be available at congress.gov, is before the Committee on Commerce, Science and Transportation.
More for you
Loading data for hdm_tax_topic #reducing-cost...