News Articles

Sen. Thomas R. Carper July 28 reintroduced bipartisan legislation (S. 1434) that would require businesses and federal agencies to adopt data security measures to protect personal information—primarily financial data—and mandate notification to individuals of breaches of their personal data.

S. 1434, the Data Security Act of 2011, which Carper said in a July 28 statement is modeled on data security provisions of the Gramm-Leach-Bliley Act and its implementing regulations, would preempt state data security and breach notification laws.

“We need to replace the current patchwork of state and federal regulations,” Carper said in a statement announcing the introduction of the bill.

Fourth Attempt for Bill

This is the fourth time Carper has proposed the measure. He introduced the legislation as S. 3568 in the 109th Congress, S. 1260 in the 110th Congress, and S. 3579 in the 111th Congress.

In the three previous Congresses, former Sen. Robert Bennett (R-Utah) was Carper's GOP co-sponsor. But Bennett lost the Republican nomination for his Utah Senate seat in 2010. This year, Sen. Roy Blunt (R-Mo.) has signed on as an original co-sponsor of the measure.

S. 1434 was referred to the Senate Banking, Housing and Urban Affairs Committee for consideration.

It is unclear whether the bill has any legs, given that in its three previous iterations the Banking Committee did not move on the legislation even though Carper and Bennett were members of the committee. This time, in the 112th Congress, neither Carper nor Blunt are members of the Banking Committee.

Proposed Law Would Cover More Than Banks

S. 1434 would require businesses that handle sensitive consumer data, in any electronic or paper format, to implement information security safeguards, investigate security breaches, and notify consumers if their “sensitive account information” or “sensitive personal information” in a readable or usable form is breached.

The bill does not require breach notice of covered information if it is “maintained or communicated in a manner that is not usable (I) to commit identity theft; or (II) to make fraudulent transactions on financial accounts.” Data that is maintained or sent in “encrypted, redacted, altered, edited, or coded form” is considered unusable, according to the bill.

The bill would require businesses to implement, maintain, and enforce reasonable data security policies and procedures. The reasonableness of such policies and procedures would be determined with reference to the size and complexity of the business and the scope of its activities as well as by the sensitivity of the types of information it maintained.

In a separate section, the bill would require federal agencies to implement administrative, technical, and physical safeguards to protect the sensitive personal information they maintain or communicate. In addition, federal agencies would be required to implement data breach notification standards.

The proposed law would cover financial institutions as defined by the GLB Act, firms covered by the Fair Credit Reporting Act, and any other individual or business “that maintains or communicates sensitive account information or sensitive personal information.”

Safe harbor from the proposed law would be provided for financial institutions deemed in compliance with GLB data security and breach notice requirements.

Breach Notice Triggered by Risk of Harm

The bill contains a risk of harm threshold, limiting when notification would be required. Businesses would be required to provide notice only if an investigation of a breach incident demonstrated that information “is reasonably likely to be misused in a manner causing substantial harm or inconvenience” to individual consumers.

Under the bill “substantial harm or inconvenience” includes “material financial loss to, or civil or criminal penalties imposed on, a consumer, due to the unauthorized use” of covered information or “the need for a consumer to expend significant time and effort to correct erroneous information relating to the consumer, including information maintained by a consumer reporting agency, financial institution, or government entity.”

Changing an account number or closing an account does not qualify as substantial harm or convenience under the bill, nor does any harm or inconvenience that does not relate to “identity theft or account fraud.”

Under the bill, functional federal financial regulators, such as Federal Deposit Insurance Corporation, would promulgate regulations for their respective financial services businesses regarding method, content, and timing of notifications to consumers.

Enforcement of the proposed law would be given to the Federal Trade Commission or relevant federal financial regulator that issued the regulations governing a particular covered entity. The bill specifically prohibits individuals from filing lawsuits to enforce the proposed law.

Full story: