This bill is similar to legislation that the senators introduced in the previous session of Congress.
The Data Security and Breach Notification Act would require companies that own or possess data containing personal information to establish “reasonable” security policies and procedures to protect that data. If a security breach occurs, entities would have to notify affected individuals. Consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.
Meanwhile, on the House side, draft national data breach notification legislation proposed by Rep. Mary Bono Mack (R-CA) was criticized for being too lax on its deadline for companies to report a data breach to customers.
The proposed bill would require companies to notify people affected by a data breach and the Federal Trade Commission within 48 hours of determining the scope of the data breach.
But some lawmakers think the bill needs a limit on how long it takes a company to determine the breach’s scope. Rep. Henry Waxman (D-Calif.) told a House panel that the bill needed a deadline for companies to determine the scope of the data breach. Edith Ramirez, the head of the Federal Trade Commission, agreed, saying that 60 days should be an “outer limit.”