Bill Number/Sponsor

PRIVACY & DATA SECURITYBILLS

110th CONGRESS

JUNE 2007

BILL # SPONSOR / DESCRIPTION / PREEMPTS
STATE LAW / ENFORCEMENT / NOTICE / COMMENTS
S.495- Leahy (D-VT)The Personal Data Privacy Security Act / A broad bill that addresses
notification provisions, extensive regulation of data brokers, requirements for certain businesses to implement data security programs and authorizes criminal/civil penalties.
Three primary exceptions include: instances where risk assessment concludes there is no “significant risk” of harm, for businesses with programs to block unauthorized use of financial information and where notice would damage national security. / Yes, preempts concurrent state breach laws. / The bill assigns enforcement of distinct provisions to the Federal Trade Commission, Secret Service and state and federal attorneys general. / Breach notice requirements are for any agency or business engaged in interstate commerce that discovers a breach of “sensitive personally identifiable information” must notify any U.S. resident whose information has been or is reasonably believed to have been accessed or acquired. / Exemptions for financial institutions covered by GLBA and entities covered under HIPPA. Safe harbor protection for businesses that maintain a program equal to industry standards as identified by the FTC.
STATUS:May 3, the bill was reported favorably with amendments in Senate Judiciary Committee and is pending on the Senate Floor.
BILL # SPONSOR / DESCRIPTION / PREEMPTS
STATE LAW / ENFORCMENT / NOTICE / COMMENTS
S.239-Feinstein (D-CA) The Notification of Risk to Personal Data Act / S. 239 covers any federal agency or business engaged in interstate commerce that uses, accesses, transmits, stores, disposes of or collects “sensitive personally identifiable information.”
Three primary exceptions include: instances where risk assessment concludes there is no “significant risk” of harm, for businesses with programs to block unauthorized use of financial information, and where notice would damage national security. / Yes, preempts concurrent state breach laws. / Delegates enforcement to federal and state attorneys general. / Must notify without “unreasonable delay” both any U.S. resident whose information may have been accessed or acquired and the owner or licensee of any breached information the covered entity does not own or license. / Bill does not address data brokers.
STATUS:May 3, the bill was ordered to be reported with an amendment in Senate Judiciary Committee and is pending on the Senate Floor.
BILL # SPONSOR
/ DESCRIPTION / PREEMPTS
STATE LAW / ENFORCMENT / NOTICE / COMMENTS
S.1202– Sessions (R-AL) The Personal Data Protection Act of 2007 / Requires agencies and persons in possession of computerized data containing sensitive personal information, to disclose security breaches where such breach poses a significant risk of identity theft. / Yes, provisions of this Act shall supersede any law, rule or regulation of any State or unit of local government that relates in any way to electronic information security standards or the notification of any resident of the U.S. of any breach of security pertaining to personal information. / Provides enforcement to the state attorney general except in cases where a functional regulator or Department of Justice has already brought action. / Agency must notify an individual when a significant risk of identity theft exists, as a result of a breach of security or when the personal information was compromised. / STATUS: Referred to the Senate Committee on the Judiciary.
S. 1260-Carper (D-DE) Data Security Act of 2007
BILL # SPONSOR / Requires each covered entity (business engaging in financial activities of Section 4(k) of the Bank Holding Act, financial institution, entity that maintains information subject to the Fair Credit Act and individual partnership, corporation, trust, estate that communicates “sensitive personal information”) to
DESCRIPTION
implement reasonable policies and procedures to protect the confidentiality and security of personal information / Yes, provides that under state law no requirement or prohibition may be imposed to protect the security of information relating to consumers or investigate and provide notice of the unauthor-ized access to information relating to
PREEMPT STATE LAW
consumers. / Regulations established under Section 4 of the bill shall be enforced exclusively under the Federal Deposit Insurance Act. The SEC shall have authority of enforcement with the respect of broker-dealers and any investment company.
ENFORCEMENT / Yes, entity is required to give notice to the appropriate agency or authority as defined in Section 5 of the bill, each consumer agency that maintains files on consumers on a nationwide basis and all consumers to whom the sensitive information relates.
NOTICE / Exceptions-The term entity does not include any agency, of federal, state of local government.
Bill gives enforcement powers to the federal government.
STATUS: Referred to Banking, House and Urban Affairs, Committee.
COMMENTS
S. 1558 Coleman (R-MN)
H.R. 2124
Davis (R-VA) The Federal Agency Data Breach Protection Act / The bills amend the Federal Information Security Management Act (FISMA) to require that OMB establish data breach policies, procedures and standards to mandate that federal agencies give timely notice to individuals whose sensitive personal information has been breached. / Unclear. S. 1558/H.R. 2124 do not mention states role. / Enforcement authority would be dedicated to the Chief Information Officer which would be responsible for developing, maintaining inventory of all computers, or any other devices that contain sensitive information / Yes, but the language contains a risk of harm threshold that would allow agencies to avoid providing notice if “the breach does not create a reasonable risk of identity theft, fraud, or other unlawful conduct regarding such individual.” / The bills define sensitive information as “education, financial transactions, medical history, and criminal or employment history” that can be used to trace an individual’s identity.
STATUS: S.1558 was introduced on June 6.
H.R. 2124 was introduced on May 3 and assigned to the House Oversight and Government Reform Committee.
H.R. 958-Rush (D-IL)/Stearns (R-FL) Data Account-ability & Trust Act / The bill charges the FTC with studying numerous aspects of data privacy and security, and with promulgating further regulations. The information broker provisions are more rigorousand require more reporting on the part of the brokers.Finally, the bill provides guidance for the destruction of obsolete paper and other non-electronic information. / Yes, preempts concurrent state breach laws. / The FTC and state attorneys general in coordination with the FTC may enforce violations of H.R.958. / Breach notice has a narrower exception for businesses who engage in a “risk assessment” to determine whether to notify consumers: the standard is whether a “reasonable risk,” as opposed to a “significant risk” of consumer harm exists.H.R.958 requires entities to report all large breaches to the FTC, even if the entity issues consumer notification. / Exempts an entity from providing notice after a breach if it determines that there is no “reasonable risk of identity theft, fraud, or other unlawful conduct.”The bill requires that the FTC promulgate further regulations regarding exemptions, including those resulting from other technology rendering data indecipher-able
STATUS: Referred to House Committee on Energy & Commerce.
BILL # SPONSOR / DESCRIPTION / PREEMPT
STATE LAW / ENFORCEMENT / NOTICE / COMMENTS
H.R. 836-Smith (R-TX) The Cyber Security Consumer Data Protection Act / Requires businesses and governmentagencies to notify the U.S. Secret Service or FBI of breaches involving (1) personal information of 10,000 or more individuals whose loss causes a “significant risk of identity theft”; (2) databases owned by the Federal Government; or (3) electronic data containing means of identifying Federal government employees or contractors involved in national security or law enforcement matters. / Yes, preempts concurrent state breach laws / Delegates rulemaking to the US Attorney General and Secretary of Homeland Security, with implied enforcement powers to state attorneys general. / Yes, refer to DESCRPTION Column re: notice requirements. / Provides for civil and criminal penalties for hiding such data breaches.In addition, defines computer fraud to include acquisition of personally identifiable information without authorization and to include any conspiracy to gain illicit access to computers.
STATUS: Referred to the Judiciary Sub-
Committee on Crime, Terrorism, and Homeland Security
H.R. 1685-Price (R-GA) The Data Security Act of 2007'

BILL # SPONSOR / Requires each covered entity (business engaging in financial activities of Section 4(k) of the Bank Holding Act, financial institution, entity that maintains information subject to the Fair Credit Act and individual
DESCRIPTION
partnership, corporation, trust, estate that communicates “sensitive personal information”) to implement reasonable policies and procedures to protect the confidentiality and security of personal information / Yes, preempts state law with respect to the responsibili-
ties of any person to protect against and investigate such data security breaches and mitigate any losses or
PREEMPT STATE LAW
harm resulting from them. / Regulations established under Section 4 of the bill shall be enforced exclusively under the Federal Deposit Insurance Act. The SEC shall have authority of enforcement with the respect of broker-dealers and any investment company. Bill grants enforcement powers to the
ENFORCEMENT
federal government. / Yes, entity is required to give notice to the appropriate agency or authority as defined in Section 5 of the bill, each consumer agency that maintains files on consumers on a nationwide basis and all consumers to
NOTICE
whom the sensitive information relates. / Exceptions-The term entity does not include any agency, of federal, state of local government.
STATUS: Referred to the Committee on Financial Services, and in addition to
COMMENTS
the Committees on Oversightand Government Reform, and Energy and Commerce,for a period to be subsequently determined by the Speaker.