Data breach bill sets notification requirements

A bill requiring federal agencies and businesses collecting personal information to divulge security breaches or face penalties of up to $1 million won approval Thursday in the Senate Judiciary Committee.

The measure (S. 239) by Sen. Dianne Feinstein, D-Calif., was approved by voice vote. It was a companion bill to legislation (S. 495) passed earlier Thursday to place controls over data brokers and agencies in an effort to curb the growing problem of consumer identity theft.

The Feinstein bill, which did not attract any dissent or debate, meshes with many details with S. 495, which overall is more sweeping. The Feinstein measure, a substitute she offered completely rewriting her earlier version to conform to sections of S. 495, requires agencies or businesses to notify consumers if their information is believed to have been accessed improperly.

The bill requires any agency or business that engages in interstate commerce and which collects, stores or use personal information to notify its clients or consumers in the event of a security breach. Companies found in violation could be subject to civil penalties of up to $1 million.

The bill defines the timeliness which those agencies or businesses should notify consumers their personal information has been compromised. The bill states that notifications should be made "without unreasonable delay" following a breach, and defines "reasonable delay" as "anytime necessary to determine the scope of the breach, prevent further disclosures and restore the integrity of the data system and provide notice to law enforcement when required."

It will fall to those companies to prove they made timely notification, the bill states. The bill makes an exception in the event of a criminal investigation.

The measure also specifies that notification can be made in writing, via telephone or e-mail, if the permission has been given in advance. It also allows for notice via media outlets if more than 5,000 people have been affected.