Senators Want Breach Law Across Industries

Legislation introduced in the Senate would require businesses and not-for-profit organizations to protect personal information, notify affected consumers of breaches within 60 days of discovery, and offer them credit and identity theft protection services.

Sens. Mark Pryor (D-Ark.) and Jay Rockefeller (D-W.V.) sponsor S. 3742, titled "The Data Security and Breach Notification Act of 2010." It was referred to the Committee on Commerce, Science and Technology, which Rockefeller chairs.

The bill requires specific steps be taken to protect personal information, but also enables an entity to take into consideration the cost of implementing such safeguards.

Entities required to notify more than 5,000 individuals of a breach also must notify the major credit reporting agencies. The bill includes special requirements for information brokers, which are entities that operate massive databases of consumer information.

In general, covered entities in compliance with other federal laws requiring the protection of personal information would be deemed to be in compliance with provisions of the new legislation if enacted. The health care industry presently operates under the breach notification rule mandated under the HITECH Act of 2009.

Text of S. 3742 is available at congress.gov. The bill is one of several introduced during this session of Congress to strengthen protection of consumer information. For instance, Sens. Tom Carper (D-Del.) and Robert Bennett (R-Utah) on July 14 introduced a similar bill, S. 3579, titled "The Data Security Act of 2010." That bill is in the Banking, Housing and Urban Affairs Committee and also available via the congressional Web site.

This story has been reprinted with permission from Health Data Management.