Arguably as a result of the Obama administration’s call for federal data privacy and security legislation, a number of bills have been introduced this year in both the House and Senate to address consumer-data privacy issues. Introduced earlier this spring were the Do Not Track Online Act, discussed here previously, and the comprehensive, Commercial Privacy Bill of Rights Act sponsored by political heavyweights Senators John Kerry and John McCain. A new crop of bills introduced this summer focuses on data-protection procedures and breach-notification requirements. Highlights from these entries, by Senators Leahy and Pryor and Representative Bono Mack, are outlined below.

Personal Data Privacy and Security Act – Sen. Leahy

  • Preempts state breach notification statutes
  • Criminalizes intentionally or willfully concealing a data breach
  • Breach notification to be made “without unreasonable delay”

Secure and Fortify Electronics (SAFE) Data Act – Rep. Bono Mack

  • Preempts state breach notification statutes
  • 48 hour breach notification requirement, in some cases
  • Civil penalties available; capped at $5M

Data Security and Breach Notification Act – Sen. Pryor

  • Similar form to the SAFE Data Act
  • 60 day breach notification requirement
  • Includes special rules for “Information Brokers”

Whether any of these become law by the end of this year’s session is not clear. However, the 48-hour breach-notification requirement proposed by Rep. Bono Mack seems to be generally unworkable in practice, making the requirement unlikely to be a component of any enacted law. What is clear, however, is that with recent, highly publicized and scrutinized data breaches at Lockheed Martin and Sony, greater-than-average political will exists in Congress to approve some form of federal data privacy and security legislation this year.