Friday, December 11, 2009

Senate Committee Passes Data Breach Laws

The U.S. Senate Judiciary Committee passes two bills that establish federal guidelines for data breach notifications.

Two sweeping bills that would set new standards for data breach notifications made their way out of the Senate Judiciary Committee Nov. 5.

The committee voted yes on the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139). The vote means the bills are now headed to the full Senate for its stamp of approval.

The Personal Data Privacy and Security Act of 2009 establishes guidelines for performing risk assessments and vulnerability testing and controlling and logging access to sensitive information. There are also provisions tied to protecting data in transit and at rest, and a set of rules for notifying law enforcement, credit reporting agencies and individuals affected by a breach.

In addition, the bill creates the Office of Federal Identity Protection inside the Federal Trade Commission.

The committee also gave the thumbs up to the Data Breach Notification Act, which requires U.S. agencies and corporations involved in interstate commerce to notify anyone whose personal information either was or may have been accessed or acquired in a breach.


Agree?


source-http://www.eweek.com/c/a/Security/Senate-Committee-Passes-Data-Breach-Laws-590570/


Posted by Ryne29 at 12/11/2009 10:46:00 PM

3 comments:

  1. NYIrish74December 13, 2009 at 10:43 AM

    Personally I think it will only lead to more lawsuits against private companies. The House had its heart in the right place, but in reality they are only going to cause widespread panic among individuals when more and more security breaches are made public. The law is one of a reactionary nature, I would like to see more of a concentration on proactive legislation that would force companies to avoid these breaches all together.

    ReplyDelete
  2. NicoleDecember 14, 2009 at 1:16 PM

    I have mixed feelings about this issue. As we have discussed at length in class through our case studies, alerting the public does sometimes cause panic during a security breach. But what are the motives behind the company for not notifying the individuals? Do they really care about not causing a public panic until the issue is resolved, or are they merely saving face from public scrutiny. I actaully believe that this bill would tarnish the reputations of many companies, merely because simple flaws do occur. However, I also believe that when dealing with sensitive information, such as financial data and social security numbers, even if the breach has been handled and nothing was released, companies should notify individuals for their shortcomings.

    ReplyDelete
  3. RLDecember 15, 2009 at 6:56 PM

    The acts seem to have some effective clauses for making companies more accountable when it comes to the information security of their customers. For instance, the guidelines for performing risk assessments and vulnerability testing will help make sure companies' websites and information is more secure. On the other hand, I think there needs to be some sort of designation, or perhaps grace period, when it comes to notification. Not all breaches require notification, especially if no customer data was compromised, and in some cases investigations can be interrupted or ruined by public notification.

    ReplyDelete

Subscribe to: Post Comments (Atom)