Lance Bellers - Fotolia
A federal data breach notification bill was recently introduced in Congress. How should organizations prepare in advance for the likelihood that the bill becomes a law later this year? Are there any potential changes or steps in the bill that enterprises could get ahead on?
The Data Accountability and Trust Act (DATA) is a piece of proposed federal legislation with a six-year history. It resurfaced in early 2015 with initiatives in the Senate and the U.S. House to pass federal legislation. It's far from certain whether the bills will become law and the final language of any bill must be reconciled by Congress. That said, organizations seeking to prepare for this new regulatory requirement may wish to assess their current privacy practices.
Generally speaking, the proposals require organizations to secure personal information and notify individuals in the event of a security breach. The categories of personal information under consideration include:
- Social Security numbers (unless truncated);
- License numbers, passport numbers, alien registration numbers;
- Other government-issued unique identification numbers;
- Biometric data including fingerprints, voiceprints, retina and iris images;
- Financial account numbers, including credit card numbers;
- Usernames and passwords to online accounts; and
- Name combined with at least two of the following: home address/telephone number, mother's maiden name, birth date.
Most organizations already have information security and data breach notification policies in place due to existing state requirements. If your organization already has such a policy, now would be a good time to review it and ensure that you have a complete inventory of sensitive information. You may also wish to document the security controls around such information in anticipation of new regulatory requirements.
If Congress passes the Data Accountability and Trust Act, it will likely assign enforcement responsibility to the Federal Trade Commission (FTC) and grant that agency authority to promulgate security standards and assess fines for noncompliance. The good news is that new FTC regulations will likely go through a lengthy federal rule-making process and will not become enforceable for at least a year.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn what your legal notification obligations are in case of a cloud data breach and the difference between international data privacy laws and the Patriot Act
Dig Deeper on Information security laws, investigations and ethics
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading