Among other things, the proposed bill – the SAFE Data Act – would require organizations to notify people affected by a data breach and the Federal Trade Commission (FTC) within 48 hours.
“Consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them”, Bono Mack said in releasing the draft bill.
The draft bill would expand the FTC’s powers by giving it authority to levy civil penalties if companies or entities fail to respond to data breaches in a timely and responsible manner. Nonprofit organizations such as universities and charities would also be required to comply with the legislation.
Additionally, the SAFE Data Act grants the FTC the ability to expand the definition of “personally identifiable information” to include any data that poses a reasonable risk of identity theft or would otherwise “result in unlawful conduct.”
Bono Mack said the draft bill is similar to one passed by the House in 2009 but not passed by the Senate. However, that bill did not include a 48-hour time limit for notification.
A national data breach notification proposal is also contained in the White House cybersecurity legislative proposal submitted to Congress last month. As data breach lawyer David McIntosh noted in an interview with Infosecurity, whether this type of legislation is beneficial depends on the details.