In a markup session yesterday, the Senate Judiciary Committee approved two bills on the protection of consumer data. S 1490, the Personal Data Privacy and Security Act of 2009, takes a number of steps to increase the penalties for identity theft and to require data brokers take additional measures to protect the information they handle. The additional steps start with implementing data privacy and security programs for databases with sensitive personal information. Data brokers would be required to disclose to an individual information that the broker has on that individual. Brokers must also maintain procedures for individuals to correct inaccuracies in this information. The bill also requires the Federal Trade Commission, the General Services Administration, and the U.S. Sentencing Commission make changes to their policies to reflect the standards and procedures described in this act. For example, the bill makes it a crime to intentionally or willfully conceal a security breach involving personal data.

The bill’s data breach notification provisions come from a separate bill the committee approved, S 139, the Data Breach Notification Act. Any federal agency or business entity that uses, accesses, or collects sensitive personally identifiable information must notify in the event of a data breach: any U.S. resident whose information was accessed or taken; and any third party that has access or control of that information. Under special circumstances other agencies would be notified as well. The Senate Judiciary Committee has approved data privacy and breach notification legislation before, and it failed to reach the Senate floor. With the number of records exposed by data breaches continuing to grow, it would be nice to see this legislation advance further in the process.

Trackbacks

The URI to TrackBack this entry is: http://usacm.acm.org/usacm/weblog/wp-trackback.php/754

None at this time.