Last week, legislation was introduced in the U.S. Senate that, if passed, would create proactive and reactive requirements for companies that maintain personal information about U.S. citizens and residents. The “Data Security and Breach Notification Act of 2013” mandates two key responsibilities: (1) to secure personal information and (2) to notify affected individuals if the information is breached. The bill requires companies to take reasonable measures to protect and secure data in electronic form containing personal information. If that information is breached, companies are required to notify affected individuals “as expeditiously as practicable and without unreasonable delay” if the company reasonably believes the breach caused or will cause identity theft or other actual financial harm.
A violation of the obligations to secure or notify are considered unfair or deceptive trade practices that may be investigated and pursued by the FTC. Companies that violate the law could be fined up to $1,000,000 for violations arising out of the same related act or omission ($500,000 maximum for failing to secure the personal information and $500,000 maximum for failing to notify about the breach of the personal information).
As, unfortunately, it has become the norm, the current political climate in D.C. makes it unlikely the Data Security and Breach Notification Act will progress very far. Nevertheless, there is growing climate of concern regarding privacy and security issues that may result in this legislation being included within a larger package of legislation on cybersecurity and data privacy. It will be important to keep an eye on the status of this bill moving forward.