Data Security Breach Notification Laws

Gina Stevens
Legislative Attorney

A data security breach occurs when there is a loss or theft of, or other unauthorized access to, sensitive personally identifiable information that could result in the potential compromise of the confidentiality or integrity of data. Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of security breaches involving personal information. Federal statutes, regulations, and a memorandum for federal departments and agencies require certain sectors (healthcare, financial, federal public sector, and the Department of Veterans Affairs) to implement information security programs and provide notification of security breaches of personal information. In response to such notification laws, over 2,676 data breaches and computer intrusions involving 535 million records containing sensitive personal information have been disclosed by data brokers, businesses, retailers, educational institutions, government and military agencies, healthcare providers, financial institutions, nonprofit organizations, utility companies, and Internet businesses. As a result, a significantly large number of individuals have received notices that their personally identifiable information has been improperly disclosed.

This report provides an overview of state security breach notification laws applicable to entities that collect, maintain, own, possess, or license personal information. The report describes information security and security breach notification requirements in the Office of Management and Budget’s “Breach Notification Policy,” the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Gramm-Leach-Bliley Act (GLBA).

The Senate Judiciary Committee marked up three data security bills and reported the three bills with substitute amendments. See CRS Report R42474, Selected Federal Data Security Breach Legislation, by Kathleen Ann Ruane. S. 1151 (Leahy), the Personal Data Privacy and Security Act of 2011, would apply to business entities to prevent and mitigate identity theft, ensure privacy, provide notice of security breaches, and enhance criminal penalties. It would provide law enforcement assistance and other protections against security breaches, fraudulent access, and misuse of personally identifiable information. S. 1408 (Feinstein), the Data Breach Notification Act of 2011, would require federal agencies and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information. S. 1535 (Blumenthal), the Personal Data Protection and Breach Accountability Act of 2011, would protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach, provide notice and remedies to consumers, hold companies accountable for preventable breaches, facilitate the sharing of postbreach technical information, and enhance criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information. The House Subcommittee on Commerce, Manufacturing and Trade marked up H.R. 2577 (Bono Mack), the SAFE Data Act, to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach. Several subcommittee Democrats objected to the bill’s definition of personal information, arguing that the description is limited and does not adequately protect consumers from identity theft. The House Commerce, Manufacturing and Trade Subcommittee approved H.R. 2577 by voice vote and the measure was referred to the full committee for consideration. H.R. 1707 (Rush) and H.R. 1841 (Stearns) were also introduced to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information and providing for nationwide notice in the event of a breach. Congress may address data security during its consideration of cybersecurity legislation.


Date of Report: April 10, 2012
Number of Pages: 23
Order Number: R42475
Price: $29.95

Follow us on TWITTER at http://www.twitter.com/alertsPHP or #CRSreports

Document available via e-mail as a pdf file or in paper form.
To order, e-mail Penny Hill Press or call us at 301-253-0881. Provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.