The four senators are Dianne Feinstein (D-Calif.), chairman of the Intelligence Committee; John Rockefeller (D-W.Va.), chairman of the Committee on Commerce, Science and Transportation; Mark Pryor (D-Ark.), chairman of the Commerce Subcommittee on Communications, Technology, and the Internet; and Bill Nelson (D-Fla.), chairman of the Commerce Subcommittee on Science and Space.
The dual thrust of the legislation is that the Federal Trade Commission (FTC) should issue obligatory security standards for the protection of personal information, and that breached organizations should be required to notify customers if ever and whenever that data is compromised. Different states currently have different breach notification requirements, and this new bill would appear to be an attempt to consolidate them into a single federal law.
Under the proposal, businesses would receive "incentives to adopt state of the art technologies [such as encryption] that would render consumer electronic data unreadable or unusable in the case of a breach."
The move follows a series of major security breaches. “Recent massive data breaches at Target and Neiman Marcus have put the personal information of tens of millions of Americans at risk,” Senator Feinstein said announcing the plan. “This is a real and growing problem. The legislation I introduce today with Chairman Rockefeller will ensure that Americans’ sensitive personal and financial information is stored securely, that Americans receive prompt notification when this information is compromised and that law enforcement is promptly notified in order to prosecute cybercrime... The breaches are getting more frequent, and members of Congress—of both parties and across different congressional committees—must come together to pass this common-sense plan to protect the American consumer.”
Whether this proposal will ever become law, is, however, another matter. To what extent any new rules from the FTC could improve on the PCI DSS standard, with which the hacked retail companies must already comply – but which evidently failed to protect them – is another question. Furthermore, since the notification requirement will undoubtedly be based on the California model, and since public notification can be delayed on advice from law enforcement, it is questionable whether this would have much serious effect for the consumer.
The proposed law would require breached companies "to notify a central, designated federal entity (established by the Department of Homeland Security), which would in-turn notify other relevant law enforcement and government agencies of the breach." With early required notification to law enforcement, it is quite likely that such agencies would request delayed public notification while they investigate the breach.
Nevertheless, the proposal introduces strong sanctions. "The bill would impose civil penalties for violations of the law as well as criminal penalties on corporate personnel that deliberately conceal a data breach."