National data breach law on the way?

Perhaps taking advantage of the increased attention placed on security and privacy issues, including the implementation of new data breach disclosure rules by both HHS and the FTC applicable to personal health information, Senator Patrick Leahy in July introduced S. 1490 as the Personal Data Privacy and Security Act, which the Judiciary Committee began considering this week. The bill would establish standards for data privacy and security programs to protect personally identifiable information, applicable to any business entity not already subject to Graham-Leach-Bliley or HIPAA that collects, uses, stores, transmits, or disposes of records on 10,000 or more people. Entities that would be covered under this proposed legislation would be obligated to implement data privacy and security safeguards and practices, or risk financial penalties of as much as $5,000 per day while in violation. In terms of data breaches, organizations subject to the proposed legislation would have to “notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.” The language as drafted does provide exemptions from disclosure requirements in certain circumstances, including cases where there is no significant risk of harm to individuals whose personal information was part of the breach. In Leahy’s bill however the determination that no significant risk exists is based on the use of encryption or other mechanisms to render the information indecipherable; the technical stipulations do not provide the same subjective “out” contained in the final version of the HHS rules for personal health information breach disclosures. Other provisions in the bill include strengthening of penalties for cases of identity theft and the application of racketeering laws to identity theft, and a requirement that credit reporting agencies receive data breach notifications, in addition to requirements that individuals be notified when their personally identifiable information has been disclosed. The most challenging part of the bill as drafted may be the determination of appropriate safeguards; a similar provision in the HIPAA security rule resulted in the need to develop a formal set of appropriate security controls to deliver the safeguards called for in the law.