SAFE Data Act Mandates Security Measures for Companies Collecting Your Data
Data System hacks are becoming common occurrences. Large companies such as Sony Entertainment Corporation, whose popular PlayStation Network experienced a month of downtime after a massive breach, and Epsilon Interactive, an email service provider that maintains email subscription databases for the likes of Best Buy and JP Morgan Chase, are just a couple of recent targets. It seems these days everyone has been a victim of a data breach, whether you know it or not. Representative Mary Bono Mack (R.-California) is proposing a bill that seeks to mandate security policies for companies handling consumer information.
As Chair of the Commerce, Manufacturing, and Trade Subcommittee of the House Energy & Commerce Committee, Rep. Mary Bono Mack is hoping the proposed bill will encourage better security practices by requiring companies to adhere to federally mandated procedures with regard to sensitive personal data. Further, the newly drafted bill would require companies to notify law enforcement of a breach, as well as US citizens affected by such a breach.
The Commerce, Manufacturing and Trade Subcommittee will convene a hearing today, June 15th, 2011 to discuss the Secure and Fortify Electronic Data Act, or “SAFE Data Act.” The purpose of the bill is to address the lack of federal law regarding data security, and is in direct response to the recent hearings related consumer data security and specifically, the Sony and Epsilon breaches earlier this year. The proposed bill hopes to enhance protection of consumer personal data and establish timely notification requirements.
The House Energy & Commerce committee published the Discussion Draft of the SAFE Data Act on their website, allowing a sneak peak at proposed bill. Among the stipulations, the proposed bill would require that companies collecting sensitive personal data put in place security policies governing the collection, use, sharing or sale of such personal data. Companies must establish processes for assessing data systems, including monitoring for possible vulnerabilities, and take preventative measures to minimize the likelihood of a data breach. Procedures to ensure the safe deletion or destruction of sensitive user data will also be enacted. Further, policies must be developed to limit the amount stored data; wherein, only information required for reasonable business operation and legal responsibility is retained and safe deletion or destruction of sensitive user data.
The regulations mandating the collection and maintenance of sensitive user data is paramount. Perhaps even more important are the proposed changes which would require timely notification of a data breach. Under the SAFE Data Act, companies that have experienced a data breach would be required to notify the appropriate law enforcement agencies within 48 hours of discovering the breach. Companies will assess the data involved in a breach. After the data has been assessed, and within 48 hours, companies will be required to report to the Federal Trade Commission if there is a likely risk of fraud or identity theft. At this point, companies would also be mandated to being notifying US residents whose sensitive data was accessed in the breach. If more than 5,000 US residents were affected by the breach, companies will also be required to notify major credit reporting agencies.
The SAFE Data Act is a step in the right direction when it comes to protecting consumer information; however, the bill already has a large loophole; whereby, companies would be exempt from notifying law enforcement agencies if the breach is found to be the result of “inadvertent access or inadvertent acquisition by an employee or agent of such person,” as stated in the Discussion Draft of the SAFE Data Act. Further, no consequences have been discussed as of yet. Ultimately, without substantial consequences, this well intentioned bill will do little to ensure the security of consumer data.
The Commerce, Manufacturing and Trade Subcommittee hearing will convene today, June 15th, 2011 at 10:00am ET. The hearing is open to the public and press. For more information, including witness list, memorandum, the complete discussion draft of the SAFE Data Act, or to access the live stream of the hearing as it happens, click here .
“Discussion Draft of H.R. ____, a bill to require greater protection for sensitive consumer data and timely notification of breach,” Commerce, Manufacturing and Trade Subcommittee, House Committee on Energy and Commerce.