Modernizing Authentication — What It Takes to Transform Secure Access
Two prominent Senate Democrats have offered a bill that would require businesses and nonprofit groups to meet baseline standards for safeguarding consumers' personal information, and to act quickly to provide notification in the event of a breach.
The Data Security and Breach Notification Act, introduced by Sens. Mark Pryor (D-Ark.) and John Rockefeller (D-W.V.), would mandate firms that engage in the collection and storage of personal information to implement "reasonable security policies and procedures" to prevent leaks or breaches.
In the event of a security breach, covered businesses and nonprofits would be obligated to notify all affected individuals within 60 days.
"As more and more of our personal information is collected and stored online and on computers, we need to ensure that the businesses storing this information are keeping it safe and giving us quick warning if it falls into the wrong hands," Pryor, the chairman of the Subcommittee on Consumer Protection, Product Safety and Insurance, said in a statement.
The legislation follows a similar measure introduced last month by Sens. Tom Carper (D-Del.) and Bob Bennett (R-Utah) that would also set baseline security standards for outfits, such as data brokers, credit card companies and retailers to protect sensitive information. Carper and Bennett's legislation, a reprisal of a previous bill they had offered, would also establish a federal data-breach notification requirement.
Two similar bills have also emerged from the Judiciary Committee this session, but have stalled on the Senate floor.
The House passed a data-breach bill in December.
The long-running push in Congress for a federal data-breach standard aims to supplant the tangle of state laws that currently govern security and notification requirements. At present, 46 states, as well as the District of Columbia, Puerto Rico and the Virgin Islands have data-breach laws on their books, according to the National Conference of State Legislatures.
By implementing baseline security standards, the legislative efforts also seek to address the alarming rise of data breaches that have put the unencrypted personal information of millions of consumers and/or service at risk following the loss or theft of a laptop or storage device. These security gaffes have been especially pervasive in the medical sector, where hospitals and health-care clinics have reported the exposure of a raft of patient information over the past year.
"An estimated nine million Americans have their identities stolen each year, resulting in destroyed credit ratings and legal troubles," said Rockefeller, who chairs the Senate Commerce Committee.
Under the new legislation, consumers whose information was compromised would be entitled to receive free credit reports or credit-monitoring services for up to two years.