Senate panel approves data-breach notification bills
The U.S. Senate Judiciary Committee has approved two bills that would require organizations with data breaches to report them to potential victims.
The Judiciary Committee on Thursday voted to approve both the Personal Data Privacy and Security Act and the Data Breach Notification Act by large majorities.
The Data Breach Notification Act, sponsored by Senator Dianne Feinstein, a California Democrat, would require U.S. agencies and businesses that engage in interstate commerce to report data breaches to victims whose personal information "has been, or is reasonably believed to have been, accessed, or acquired."
Feinstein's bill would also require agencies and businesses to report large data breaches to the U.S. Secret Service
The Personal Data Privacy and Security Act would also require that organizations that maintain personal data give notice to potential victims and law-enforcement authorities when they have a data breach. It would increase criminal penalties for electronic-data theft and allow people to have access to, and correct, personal data held by commercial data brokers.
The second bill, sponsored by Senator Patrick Leahy, the Judiciary Committee chairman and a Vermont Democrat, would also require the U.S. government to establish rules protecting privacy and security when it uses information from commercial data brokers.
Several tech groups have called for the U.S. Congress to pass national data-breach notification legislation. Since a series of high-profile data breaches in early 2005, about 45 states have passed data-breach notification laws.
It's difficult for companies to comply with the separate state laws, officials from cybersecurity product vendor Symantec have said.
Symantec CEO Enrique Salem sent a letter to the committee Wednesday in support of the Leahy data-breach bill.
The Leahy bill "is a major step forward towards enacting a comprehensive, uniform national framework to better prevent breaches of sensitive consumer information as well as setting a clear standard for effective notification should a breach occur," Salem wrote.
Symantec supports the bill's language saying that if personal data is encrypted or otherwise rendered unusable, organizations don't have to report the data breach, the letter said. The committee has recognized "there are widely accepted industry best practices and standards for data security that companies can look to as a road map for compliance when protecting electronic data," Salem wrote.
The Business Software Alliance, a trade group, also praised the committee for approving both bills.
"In recent years, hundreds of millions of individual records containing sensitive personal information have been involved in computer security breaches," BSA President and CEO Robert Holleyman said in a statement. "The frequency and severity of data breaches have prompted more than 45 states to pass data security laws, creating a confusing patchwork quilt of regulations."
Both bills now head to the full Senate for votes. The timeline for action in the Senate is unclear.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
U.S. Senate Judiciary Committee
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
