Search Penny Hill Press

Friday, April 20, 2012

Selected Federal Data Security Breach Legislation

Kathleen Ann Ruane
Legislative Attorney

The protection of data, particularly data that can be used to identify individuals, has become an issue of great concern to Congress. There is no comprehensive federal law governing the protection of data held by private actors. Only those entities covered by the Gramm-Leach-Bliley Act, 15 U.S.C. §§6801-6809, (certain financial institutions) and the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §1320d et seq., and amendments to HIPAA contained in the Health Information Technology for Economic and Clinical Health Act (HITECH Act), P.L. 111-5, (certain health care facilities) are required explicitly by federal law to report data breaches. If private companies have indicated in their privacy policies that they will notify individuals upon a suspected data breach, failure to provide such notification may be considered to be an unfair and deceptive trade practice under Section 5 of the Federal Trade Commission Act (FTC Act). However, the FTC does not explicitly require private actors in possession of data related to individuals to notify individuals or the federal government should a data breach occur.

Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification upon a data security breach involving personal information. However, these laws may vary in their application. They may only apply to certain entities or to certain data. Furthermore, companies maintaining stores of personal data may find it difficult to comply with the potentially different requirements of various state laws.

A combination of a lack of a comprehensive federal law addressing security breaches involving personal data and the difficulty industry participants report in complying with various state laws has led Congress to propose a number of bills that would require private actors in possession of personal data to report breaches of that data. The Senate Judiciary Committee recently approved and reported three bills that would create federal standards for data breach notification: S. 1151, the Personal Data Privacy and Security Act of 2011 (Chairman Leahy); S. 1408, the Data Breach Notification Act of 2011 (Senator Feinstein); and S. 1535, the Personal Data Protection and Breach Accountability Act of 2011 (Senator Blumenthal). The bills have similar structures and elements. This report will analyze the bills, as reported out of the committee, discussing their similarities and differences.

For more information about current state and federal data security breach notification laws, see CRS Report R42475, Data Security Breach Notification Laws, by Gina Stevens.

Date of Report: April 9, 2012
Number of Pages:
Order Number: R424
Price: $29.95

Follow us on TWITTER at or #CRSreports

Document available via e-mail as a pdf file or in paper form.
To order, e-mail Penny Hill Press or call us at 301-253-0881. Provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.