Companies conducting business in highly regulated industries will often select our firm to assist with evaluating privacy compliance. Companies are often required to comply with privacy obligations from outside counsel, the Gramm Leach Bliley Act ("GLBA") or the Health Insurance Portability and Privacy Act ("HIPAA"). The GLBA and HIPAA regulate the financial and health care industries respectively, and beyond these types of industry-specific regulations, there is not a nation-wide standard of rules governing the handling of personally identifiable information ("PII"). Almost every state has some type of data breach protection statute that, among other things, requires that a company inform residents of that particular state if unauthorized access to a resident's PII has occurred. Compliance with so many disparate rules makes it difficult for companies that do business in multiple states.
Senator Patrick Leahy has sponsored a bill titled the Personal Data Privacy and Security Act of 2014.1 This bill seeks to "Prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information." With recent large-scale data breaches significant media coverage, it is possible this legislation could gain traction. States can of course legislate more protective measures, however this bill, if it becomes law, could be a milestone in harmonizing some data privacy obligations.
Footnote
1 available at: https://www.govtrack.us/congress/bills/113/s1897utm_campaign=govtrack_feed&utm_source=govtrack/feed&utm_medium=rss
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
