Senate committee ok's ID theft, data breach bills

Yesterday, the Senate Judiciary Committee passed two bills on Identity Theft and Data Breach that will now go to the full Senate, and it’s about time.

The first is the Personal Data Privacy and Security Act of 2009 (S.1490), which is “a bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.”

Among other things, it establishes guidelines for performing risk assessments and vulnerability testing and controlling and logging access to sensitive information. There are also provisions tied to protecting data, a set of rules requiring businesses to notify law enforcement, credit reporting agencies and individuals affected by a breach, and penalties for failing to do so. It also creates the Office of Federal Identity Protection under the FTC.

The other bill is the Data Breach Notification Act (S.139), which is “a bill to require Federal agencies, and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information.”

Depending on the circumstances and severity of the breach, notifications may be required to the Secret Service, FBI, Postal Inspection Service, and state attorneys general.

Symantec’s CEO issued a statement commending the Judiciary Committee’s vote, saying, “According to the Privacy Rights Clearinghouse, more than 330 million records containing sensitive personal information have been involved in data security breaches since 2005. As such, we believe that the United States urgently needs to pass a national data breach law.”

I couldn’t agree more.
 
NXEEX9SHV8HP