Skip to main content

New Bill Forces Corporations To Disclose Data Breaches

The Hill has received a copy of a bill submitted by Senator Pat Toomey (R-Pa.) on behalf of himself and four other Republican senators that establishes national standards on how companies report security breaches related to personal information.

News of the proposed legislation arrives after an Illinois woman filed a $5 million class-action lawsuit against LinkedIn in U.S. District Court for the Northern District of California. The suit alleges that LinkedIn violated promises to its users by not having better means to secure private data, thus allowing a hacker to gather more than six million passwords and post them online. Both eHarmony and Last.fm were also breached, reporting stolen passwords.

Toomey, alongside Senators Olympia Snowe (Maine), Jim DeMint (S.C.), Roy Blunt (Mo.) and Dean Heller (Nev.), introduced the Data Security and Breach Notification Act of 2012 (S.3333) on Thursday. This act requires corporations, trusts, cooperatives and similar entities -- those that retain personal data -- to inform users of a breach as quickly as possible.

According to The Hill, the breached entities must inform affected users on the actual date their personal information was discovered to be accessed, what was actually stolen, and how to contact the breached entity for more information. Personal information covered by the legislation includes Social Security numbers, driver's license numbers, financial account numbers, credit or debit card numbers and related security codes. Notifications can be distributed on paper, by email or through a telephone.

"A covered entity shall notify the Secret Service or the Federal Bureau of Investigation of the fact that a breach of security has occurred if the number of individuals whose personal information the covered entity reasonably believes to have been accessed and acquired by an unauthorized person exceeds 10,000."

In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity who owns or processes such data, the third-party entity will notify the covered entity of the breach of security, the bill adds.

Failure to follow the notification standard under the act results in a fine up to $500,000 USD.

The Hill reports thsat many Republicans in Congress have already expressed support for legislature similar to the Data Security Act because they would rather see a singular, national standard rather than differing state laws.

"This Act preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, relating to the protection or security of data in electronic form containing personal information or the notification of a breach of security," the document states.

For more information about the proposed Data Security and Breach Notification Act, head here.