Menu Search Account

LegiStorm

Get LegiStorm App Visit Product Demo Website
» Get LegiStorm App
» Get LegiStorm Pro Free Demo

Selected Federal Data Security Breach Legislation (CRS Report for Congress)

Premium   Purchase PDF for $24.95 (15 pages)
add to cart or subscribe for unlimited access
Release Date April 9, 2012
Report Number R42474
Report Type Report
Authors Kathleen Ann Ruane, Legislative Attorney
Source Agency Congressional Research Service
Summary:

The protection of data, particularly data that can be used to identify individuals, has become an issue of great concern to Congress. There is no comprehensive federal law governing the protection of data held by private actors. Only those entities covered by the Gramm-Leach-Bliley Act, 15 U.S.C. §§6801-6809, (certain financial institutions) and the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §1320d et seq., and amendments to HIPAA contained in the Health Information Technology for Economic and Clinical Health Act (HITECH Act), P.L. 111-5, (certain health care facilities) are required explicitly by federal law to report data breaches. If private companies have indicated in their privacy policies that they will notify individuals upon a suspected data breach, failure to provide such notification may be considered to be an unfair and deceptive trade practice under Section 5 of the Federal Trade Commission Act (FTC Act). However, the FTC does not explicitly require private actors in possession of data related to individuals to notify individuals or the federal government should a data breach occur. Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification upon a data security breach involving personal information. However, these laws may vary in their application. They may only apply to certain entities or to certain data. Furthermore, companies maintaining stores of personal data may find it difficult to comply with the potentially different requirements of various state laws. A combination of a lack of a comprehensive federal law addressing security breaches involving personal data and the difficulty industry participants report in complying with various state laws has led Congress to propose a number of bills that would require private actors in possession of personal data to report breaches of that data. The Senate Judiciary Committee recently approved and reported three bills that would create federal standards for data breach notification: S. 1151, the Personal Data Privacy and Security Act of 2011 (Chairman Leahy); S. 1408, the Data Breach Notification Act of 2011 (Senator Feinstein); and S. 1535, the Personal Data Protection and Breach Accountability Act of 2011 (Senator Blumenthal). The bills have similar structures and elements. This report will analyze the bills, as reported out of the committee, discussing their similarities and differences. For more information about current state and federal data security breach notification laws, see CRS Report R42475, Data Security Breach Notification Laws, by Gina Stevens.