Anyone keeping tabs on the legal scene would think data breaches are something new, given all of the legislation hitting the floor of Congress, when in reality they have been happening since businesses began saving data. The truth is the average consumer didn’t really think about it until they started to hear about data breaches and fraud trends when California blazed a trail with what is considered to be the “grandma” of data breach laws back in 2002. The California law (CA SB 1386) required entities to report data breaches if a California resident was a record in the breach that included personally identifiable information and met the state’s criteria for breach. One might say that law started it all: data breach reporting, the ability for watchdog tracking, and media coverage – before CA SB 1386 we only saw the tip of the iceberg.
There are currently four bills worth watching in Congress right now that could have some significant impact to data breach notification requirements:
- Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed
- Senate Bill 3579, the Carper-Bennett legislation, entitled the Data Security Act of 2010 applies to financial institutions, retailers and government agencies, and would require these entities to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. This bill is aimed to protect consumers and businesses from identity theft and account fraud.
- Senate Bill 3742, entitled The Data Security and Breach Notification Act of 2010, sponsored by Senators Mark Pryor and Jay Rockefeller would cross industries and requires special requirements for data brokers. It was referred this month to the Committee on Commerce, Science and Technology, which Rockefeller chairs.
- Senate Bill 1490, entitled the Personal Data Privacy and Security Act, designates as fraud unauthorized access of personally identifiable information and allows the act to lead to racketeering charges. Sponsored by Senate Judiciary Committee Chairman, Patrick Leahy, it would also prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim.
Many organizations already provide for data breach and the security of personally identifiable information as part of an Identity Theft Prevention Program or Red Flags Rule compliance. I’m happy to say that many rely on Experian tools (http://www.experian.com/data-breach/data-breach-resources.html) for data breach or Enterprise Risk Management solutions.
However, any of these bills could change the game for many businesses not already regulated by the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). In fact, two of the bills would essentially subject data brokers to the same kinds of legislation that financial institutions have under FCRA. The reasoning behind it is that fraud trends continue to show risk levels are the same to the consumer, regardless of where the information is stored. The financial industry and credit bureau data have been regulated for years so, in a sense, I think it’s just “more of the same” unless you happen to be in an industry not regulated as stringently. Still… it’s worth keeping those “tabs” and RSS feeds alive.