House passes bill to require data breach notifications

The House has passed a bill that would set nationwide rules for notifying potential victims of identify theft when their personal information that’s stored electronically is improperly exposed.

Under the legislation, companies that hold people’s personal data would be required to notify the affected people who are U.S. citizens and residents and the Federal Trade Commission if people are put at risk by a security breach to a system that holds the electronic data. The House approved the measure on Dec. 8 that was introduced in April by Rep. Bobby Rush (D-Ill.) 

The national requirements would preempt related state information security laws. Supporters of a national notification requirement say a federal mandate could simplify a complex patchwork of state laws that have been passed without a federal mandate.

The bill defines personal information as a person’s first name or initial and last name or address or phone number in combination with a number on a person’s government issued identification document such as a social security number, driver’s license number, passport, military identification number, or a financial account number with access information.

Generally, notification would have to happen in 60 days of the discovery of the problem. The legislation would apply to entities under the jurisdiction of the Federal Trade Commission (FTC).

However, covered people or companies would be exempt from the notification requirements if they determine that there is no “reasonable risk of identity theft, fraud, or other unlawful conduct.” Meanwhile, if electronic data is made unusable, unreadable or indecipherable by encryption, the presumption under the law would be that there was no reasonable risk after a security breach.

In general, the bill would require the FTC to:

• Put in place regulations to require businesses to protect personal information they hold.
• Identify security methodologies or technologies that render electronic data unusable.
• Post data breach notices on the commission's Web site if that would be a benefit to the public.
• Conduct a study on the practicality of issuing breach notices in languages other than English.

In general, information brokers, or companies whose business is to collect information on people who aren’t current or former customers, would have to:

• Give the FTC copies of its security policies if a data breach happens.
• Let the FTC audit its information security practices if a breach happens.
• Establish reasonable procedures to assure the data the business collects, in general, is as accurate as possible.
• Upon request, let people have access to their personal data that is being maintained.
• When requested to do so in writing correct legitimate inaccuracies in data being held.

The bill is now in the Senate. In a separate development, in November the Senate Judiciary Committee approved two bills that would impose data breach notification requirements on businesses.