First Steps Taken to Establish Federal Law Requiring Companies to Secure Consumer Data; Will Congress Pass Something This Year?
The U.S. House Energy & Commerce Committee took the first steps recently to establish a federal law that would cover actions that companies need to take to secure consumer data. Additionally, the legislation outlines notification requirements those companies must adhere to when a data breach occurs.
The legislation as passed with bipartisan votes by the subcommittee requires companies to implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access. Such measures and practices must take into consideration the size and complexity of a covered entity and the nature and scope of its activities.
In addition, companies would be required to conduct a reasonable and prompt investigation of a breach of security to determine whether there is a reasonable risk that such breach has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was breached. Generally, consumers would have to be notified within 30 days after the covered entity has taken the necessary measures to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.
The bill also includes enforcement provisions which state that the maximum total liability is $2.5 million for each violation of the bill’s information security requirements as well as $2.5 million for all violations of data breach notification requirements resulting from a single breach. The bill would pre-empt state law and be enforced by the Federal Trade Commission and state Attorneys General. The bill is scheduled to go to full committee in the near future for mark-up.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.