Another week, another major data breach hit the airwaves. The most recent causality was LinkedIn. Six million passwords were reportedly hacked. Internet dating Web site, eHarmony, also reported hacked passwords posted online.
Rest assured whenever a major data breach is reported, a slew of Senators and Representatives fire off press releases [old school] and tweets [new school] arguing for their data security bill. In reality, data security has taken a back seat to its bigger and more ominous brother, cybersecurity. For companies in the financial services space, good data security is already the law (Gramm-Leach-Bliley’s Safeguards Rule and more than 45 state data breach notification laws).
As a reminder, the following is a roster of data security bills reported by the Senate Judiciary Committee last September:
· S. 1151, the Personal Data Privacy and Security Act, sponsored by the Committee Chairman Pat Leahy (D-VT).
· S. 1535, the Personal Data Protection and Breach Accountability Act of 2011, sponsored by Sen. Richard Blumenthal (D-CT)
· S. 1408, the Data Breach Notification Act, sponsored by Sen. Diane Feinstein (D-CA)
All three bills would require companies to implement data security programs to protect sensitive personal information as well as setting a national standard for breach notification. S. 1151 and S. 1535 provide for criminal penalties for failing to notify individuals of a data breach. S. 1535 allows for private rights of action against companies failing to notify of a data breach. The Senate Commerce Committee continues to discuss its data security and breach notification bill (S. 1207). On the House side, the Energy and Commerce Committee has yet to schedule a markup and vote on H.R. 2577, the SAFE Data Act authored by Rep. Mary Bono Mack (R-CA). Her subcommittee approved H.R. 2577 in July but negotiations continue on the preemption, data minimization and liability provisions in the bill. It is uncertain whether the full Committee will markup H.R. 2577 this summer.
Even in an active Congress, passing cybersecurity, data security or privacy legislation would all be a tall order. Consensus just does not exist on whether more regulation will be of any benefit. Meantime, companies (especially in financial services and payments) spend great resources (human and capital) to stay one step ahead of the fraudsters, hackers and government officials wanting to punish companies for lax data security.
No comments:
Post a Comment