The Data Security and Breach Notification Act, introduced in June, would require companies that own or possess data containing personal information to establish “reasonable” security policies and procedures to protect that data. If a security breach occurs, entities would have to notify affected individuals. Consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.
Sen. Rockefeller, who chairs the committee, has tried on a number of occasions to bring the legislation up for a committee vote. Rockefeller and Pryor have revised the legislation in an effort to forge a consensus on the bill, but so far with no luck, according to Politico.com.
A spokeswoman for Pryor told Politico this week that lawmakers are “hoping to resolve any disagreements so the bill can be” voted on in December. A Rockefeller spokeswomen said the senator is “hopeful that we will move a bill out of the Commerce Committee with bipartisan support that will address issues regarding how entities collect, maintain, secure and use personal information in today’s economy and ensure consumers are adequately protected.”
Cybersecurity legislation has been plagued by jurisdictional disputes and partisan division in Congress. Last month, the Senate Judiciary Committee passed three data breach notification bills along party lines. Similar to the Rockefeller-Pryor legislation, the Judiciary bills would require companies to take measures to secure personal information and notify consumers when their personal data has been breached.
Senate Majority Leader Harry Reid (D-Nev.) has been trying to bring the various cybersecurity bills together into a comprehensive piece of legislation, so far with little luck.
On the House side, the Republican leadership has expressed its skepticism of the Democratic approach to cybersecurity legislation. The Republican Cybersecurity Task Force last month endorsed an approach that eschews government regulation and relies on voluntary private sector incentives to encourage improved cybersecurity.