June 13, 2011
Companies that are breached by hackers who steal consumer information would have to notify customers within 48 hours of assessing and identifying the intrusion under a new data security bill by Rep. Mary Bono Mack.
The proposal is called the Secure and Fortify Electronic Data Act and the California Republican plans to unveil a draft of the legislation Wednesday at a hearing before her Commerce, Manufacturing and Trade Subcommittee.
A version of the bill made public Monday shows it tracks closely with legislation that cleared the Energy and Commerce Committee on a bipartisan vote in 2010, but the proposal makes key tweaks to the bill’s scope.
Bono Mack’s plan would make clear that a broad range of entities — from companies to third-party data holders such as “contracted cloud providers” — are covered under her proposed data breach law. Those companies would have to put in place rules that ensure they only collect and store as much data as they need, according to a Republican memo circulated ahead of the hearing.
If those providers’ servers are breached, however, companies would be required to notify law enforcement within 48 hours of discovering the intrusion, “unless that breach is determined to be inadvertent,” according to the memo.
The affected firms would then have to inform consumers and the Federal Trade Commission, an agency with jurisdiction, within 48 hours of addressing, identifying and assessing the breach. The provision is meant to ensure companies promptly notify those affected, while still granting them the flexibility they may need to investigate the attack.
Companies that fail to conduct their own inquiries in a reasonable amount of time could face penalties by the FTC.
Those sorts of time targets were not as clearly spelled out in the data breach bill put forth by Rep. Bobby Rush (D-Ill.) in the previous Congress. That bill won bipartisan support but failed to clear a floor vote.
As expected, Bono Mack’s bill does not apply to companies that are covered by the security provisions in the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act.
Still, the chairwoman’s new legislation arrives in response to a torrent of data breaches this year — hacks that have affected previously little-known companies, like Epsilon, and household names, like Sony.
Last week, that pattern continued as hackers targeted Citigroup and the International Monetary Fund.
The hearing Wednesday will mark Bono Mack’s third foray on the issue. Set to testify on the first of two panels is FTC Commissioner Edith Ramirez. A second panel of witnesses will feature Jason Goldman, counsel for telecommunications and e-commerce at the U.S. Chamber of Commerce; Robert Holleyman, president and CEO of the Business Software Alliance; Stuart Pratt, president and CEO of the Consumer Data Industry Association; and Marc Rotenberg, executive director of the Electronic Privacy Information Center.