Originally published September 27, 2011
The Senate Judiciary Committee approved three data security bills on September 22, 2011. Several other bills are pending in the Senate and House of Representative, some which we discussed in a prior post. Therefore, while it is still unclear what national data security legislation Congress will ultimately adopt, it is becoming increasingly clear that the United States will soon have a federal data security law.
The first bill that passed the Senate Judiciary Committee was the Personal Data Privacy and Security Act of 2011, sponsored by Senator Patrick Leahy. It would require a business to implement a comprehensive data security program, and notify individuals affected by a security breach. It also would amend the Computer Fraud and Abuse Act to counteract court decisions that have found liability where an employee takes or uses information in violation of a contractual obligation or the terms of an acceptable use policy.
The second bill was the Data Breach and Notification Act of 2011, sponsored by Senator Dianne Feinstein. It is limited exclusively to data breach notification. Notably, it would not require notice if a business conducts a risk assessment and can prove to the Federal Trade Commission that no significant risk of harm exists to affected individuals.
The third bill was the Personal Data Protection and Breach Accountability Act of 2011, sponsored by Senator Richard Blumenthal. It would significantly expand the requirements of any state data security law or proposed federal law. Under this bill, businesses would have to provide affected individuals with written and telephonic notice. If more than 5,000 individuals are affected, the business also would have to provide public notice through the media, as well as electronic notice (such as on the business' own website). This bill also would prohibit businesses from attempting to "monitor, manipulate, aggregate, and market the data collected in the process of intercepting a web search or query entered by an authorized user of a protected computer."
Stay tuned as the both the Senate and House continue to consider a variety of different federal data security legislation.
Cameron Shilling is a partner at McLane, Graf, Raulerson & Middleton, and leads McLane's Privacy and Data Security Group.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.