The U.S. House Energy & Commerce Committee took the first steps recently to establish a federal law that would cover actions that companies need to take to secure consumer data. Additionally, the legislation outlines notification requirements those companies must adhere to when a data breach occurs.
The legislation as passed with bipartisan votes by the subcommittee requires companies to implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access. Such measures and practices must take into consideration the size and complexity of a covered entity and the nature and scope of its activities.
In addition, companies would be required to conduct a reasonable and prompt investigation of a breach of security to determine whether there is a reasonable risk that such breach has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was breached. Generally, consumers would have to be notified within 30 days after the covered entity has taken the necessary measures to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.
The bill also includes enforcement provisions which state that the maximum total liability is $2.5 million for each violation of the bill’s information security requirements as well as $2.5 million for all violations of data breach notification requirements resulting from a single breach. The bill would pre-empt state law and be enforced by the Federal Trade Commission and state Attorneys General. The bill is scheduled to go to full committee in the near future for mark-up.