National Data Privacy Laws Move Forward

I'm just a bill from Schoolhouse Rock

With last week’s further revisions to the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)], people are wondering if the federal government is going to step into the space and create a national standard. Most states have enacted some form of data breach or data privacy law, crating patchwork of laws across the country.

I found three separate bills moving through the legislative process: Data Accountability and Trust Act (H.R. 2221), Personal Data Privacy and Security Act of 2009 (S.1490), and The Data Breach Notification Act (S. 139)

Data Accountability and Trust Act (H.R. 2221)

This bill was in the House Committee on Energy and Commerce and referred to the Subcommittee on Commerce, Trade and Consumer Protection. They recommended it be considered by the House as a whole on September 30.

This act would requires the Federal Trade Commission to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.

Personal Data Privacy and Security Act of 2009 (S.1490)

Last week, the Senate Judiciary Committee approved the Personal Data Privacy and Security Act of 2009 by a vote of 14-5, sending the bill to the full Senate for consideration.

This act would amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of sensitive personally identifiable information (in electronic or digital form) a predicate for racketeering charges; and (2) prohibit concealment of security breaches involving such information.

This law would preempt state regulation in this area.

The Data Breach Notification Act (S. 139)

Last week, the Senate Judiciary Committee approved the Data Breach Notification Act by a vote of 14-2, sending the bill to the full Senate for consideration.

This act would requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired; and (2) the owner or licensee of any such information that the agency or business does not own or license.  The notice must be given “without unreasonable delay” following discovery of the breach.

It also authorizes civil actions by state attorneys general to enforce the act. This act would supersede any other provision of federal law or any provision of law of any state law relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.

These are just bills, so it’s hard to tell what may happen to them. The clock is ticking. The Massachusetts data security law goes into effect on March 1, 2010.