On January 30, 2014, Senators John D. (Jay) Rockefeller IV (D-W.Va.), Chairman of the Senate Committee on Commerce, Science, and Transportation; Dianne Feinstein (D-Calif.), Chairman of the Senate Select Intelligence Committee; Mark Pryor (D-Ark.), Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet; and Bill Nelson (D-Fla.), Chairman of the Commerce Subcommittee on Science and Space, introduced legislation that would, for the first time, provide a federal standard for companies to safeguard consumers’ personal information throughout their systems and to quickly notify consumers if those systems are breached.
The Data Security and Breach Notification Act would:
- Provide security standards for databases. The Federal Trade Commission (FTC) would be directed to develop robust but flexible rules that require businesses that possess consumers’ personal information to adopt reasonable security protocols to protect that information from unauthorized access. The FTC would have the flexibility to broaden, through rulemaking, their ability to protect other types of personal information if it furthers the purpose of the law and does not unnecessarily burden business.
- Establish strong breach notification requirements. These requirements would allow all potentially affected consumers to take steps to protect themselves from identity theft and other crimes.
- Increase the use of technology to combat hackers. Businesses would have incentives to adopt state of the art technologies that would render consumer electronic data unreadable or unusable in the case of a breach.
- Strengthen law enforcement. The bill would establish a two pronged enforcement regime whereby the FTC and state Attorneys General would enforce the law. Breached companies would be required to notify a central, designated federal entity (established by the Department of Homeland Security), which would in-turn notify other relevant law enforcement and government agencies of the breach. The bill would impose civil penalties for violations of the law as well as criminal penalties on corporate personnel that deliberately conceal a data breach.