A bill introduced Monday by Sen. Bob Bennett (R-Utah) and Sen.Tom Carper (D-Del.) both of whom serve on the Senate BankingCommittee, joins a growing list of data security measures nowpending before Congress.
The proposed Data Security Act of 2006 seeks to create anational data protection and breach notification standard.
“This bill would require all financial institutions, retailersand government agencies to maintain strong internal safetyprotections for the data they hold,” Carper said in a statement. Itwould also require them to “quickly investigate” security breachesand to notify law enforcement, regulators and customers when thereis a real risk of harm, he said.
The proposed bill would expand the reach of current laws thatrequire only financial institutions to protect the security andconfidentiality of customer information, Bennett said in a separatestatement.
The Bennett-Carper legislation is modeled after theGramm-Leach-Bliley Act of 1999 and will require federal and stateregulators to enforce compliance with the law and to make sure thatdata security procedures are uniformly applied.
If covered entities fail to comply with the measure’srequirements, regulators would be allowed to levy fines, imposecorrective measures or “even bar individuals from working in theirrespective industries,” according to a statement on Carper’s Website.
The latest proposal comes amid heightened calls for some sort offederal data security legislation in the wake of recently disclosedbreaches at the U.S. Department of Veterans Affairs and severalother government agencies.
There are already at least 10 other pieces of legislationpending before Congress, all of them introduced before the VAbreach. Among them is the Financial Data Protection Act of 2005,which the House Financial Services Committee passed in March. Thatbill is designed to give financial services companies a nationalstandard for securing personal data and notifying customers in theevent of a breach.
That proposed legislation has drawn intense criticism fromprivacy advocacy groups who say it would undermine stronger statelaws already in place by giving companies too much leeway indeciding when to disclose breaches.
Another example of pending legislation is the DataAccountability and Trust Act (DATA), which was introduced inOctober by Rep. Cliff Stearns (R-Fla.). That bill would requirecompanies to notify consumers of security breaches involving theirdata and would give the Federal Trade Commission the authority toenforce compliance.
The measure would also require data aggregators, such asChoicePoint Inc., to keep the FTC informed about plans forsafeguarding private data and to submit to periodic audits in theevent of a breach. Stearns’ legislation has also drawn fire forallowing companies too much discretion in deciding when to notifyregulators and others about breaches