More Congressional progress on data breach laws
Thanks to the action of the Senate Judiciary Committee this week, it looks like we have not one but two bills addressing data breach notification requirements that would apply broadly to commercial entities. The measure introduced as the Personal Data and Privacy Security Act (S. 1490) and sponsored by by committee chairman Sen. Patrick Leahy is somewhat broader in scope than the Data Breach Notification Act (S. 139) sponsored by Sen Dianne Feinstein, in that Leahy’s bill addresses penalties and enforcement mechanisms for identify theft as well as setting data breach notification requirements. There is a great deal in common between the two bills, so it seems likely (if there is momentum to bring the bills before the fully Senate for deliberation) that they will be combined into a single piece of legislation. Sen. Leahy has been particularly vocal in suggesting that there is growing public demand for a national data breach law, and seems to think the appetite exists in Congress to take up the measure this year or next, despite the fact that similar bills were first introduced four years ago and have never made it through the legislative process to a full vote. Let’s not forget that before we can have a law we need action from the House too; in April Rep. Bobby Rush introduced the Data Accountability and Trust Act (H.R. 2221), in essentially the same form as an identically named piece of legislation introduced in the House during the previous Congress. The House bill was considered over the summer by the House Committee on Energy and Commerce’s Subcommittee on Commerce, Trade, and Consumer Protection and ordered reported out to the full House at the end of September. So the key question now is, when will one or both sides of Congress take up these bills for consideration and action by the full chambers?