112th Congress Recap: Despite continual congressional interest in data breach legislation spurred by highly publicized data breaches, and despite the overarching desire to have a federal data breach notification law to replace the current patchwork of 46 state laws, the 112th Congress failed to pass a bill.
Democratic supporters of data breach legislation hoped that their language could be included with comprehensive cybersecurity legislation, but such amendments were opposed by business groups and others and ultimately the cybersecurity bill did not pass.
2012 saw congressional developments in the form of new bills and Committee action. In June, Sen. Pat Toomey (R-PA) introduced S. 3333 (the Data Security and Breach Notification Act of 2012), which would require breach notification to individuals as well as to the FBI in any breach of more than 10,000 records. S.3333 joined a raft of other similar data security bills in the 112th Congress. In September, the Senate Judiciary Committee approved two bills: S. 1408 (the Data Breach and Notification Act) that would establish a national standard for breach notification; and S. 1535 (the Personal Data Protection and Breach Accountability Act) that would provide a mixture of data breach notification requirements and legal measures that would allow individuals to recover damages from companies who allow preventable breaches. The Committee also approved S. 1151 (the Personal Data Privacy and Security Act) to update the 1986 Computer Fraud and Abuse Act by toughening legal penalties for hacking.
While all of these bills would create a national data breach notification standard, they differ in triggering requirements for notification; definitions of “personal information”; obligations on data holders to protect data; the form and recipients of notice; timetables for providing notice; and remedies and penalties.
In 2012, states continued to move on their own in the area of data security and 11 states introduced data breach notice bills seeking to expand the scope of current laws, set additional requirements related to notification, or change the penalties for breaches.