Senate panel approves data-breach bill

The U.S. Senate Judiciary Committee approved on Thursday a bill that would require companies with data breaches to notify affected customers and would set up rules for the U.S. government's use of private databases.

The Personal Data Privacy and Security Act, sponsored by committee Chairman Arlen Specter, a Pennsylvania Republican, and Senator Patrick Leahy, a Vermont Democrat, would also require data brokers to allow U.S. residents to correct their personal data, and it would require businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.

Businesses that do not implement security plans could be fined up to $35,000 a day if found in violation of the requirement.

The Judiciary bill would allow companies that suffer data breaches to avoid notifying consumers if they determine the breach poses "no significant risk" of identity theft or other data fraud. But, unlike some other data-breach bills in Congress, the Specter-Leahy bill would require companies that determine there is no risk from a data breach to report their findings to the U.S. Secret Service, which can then conduct its own investigation.

"This bill will ensure that our laws keep pace with technology," Leahy said in a statement. "In this information-saturated age, the use of personal data has significant consequences for every American. People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly."

The Judiciary legislation is one of about 15 bills currently before Congress that require data-breach notification, most of them introduced after a series of data breaches were reported earlier this year.

It is the second data-breach notification bill to be approved by a full committee, with the next step a vote on the Senate floor. In July, the Senate Commerce, Science and Transportation Committee approved the Identity Theft Protection Act, but the full Senate has not taken action on it.

Like most data-breach bills now before Congress, the Specter-Leahy bill would preempt the more than 20 state laws that now require data-breach notification. Some consumer and privacy advocates have expressed concern over weak data-breach laws preempting stronger state laws, but officials with the Center for Democracy and Technology (CDT), a privacy advocacy group, called the Specter-Leahy the most comprehensive data breach notification bill now before Congress.

Several business groups have called for preemption of state notification laws, saying companies will have a hard time complying with a "patchwork quilt" of state rules. CDT supports the preemption of state laws when the federal law doesn't weaken consumer protection, said Ari Schwartz, CDT's deputy director.

"We can't say we like preemption no matter what," he said during a press briefing Friday. "It's got to be something that benefits consumers."

The Judiciary bill is the only current legislation that includes rules for the government use of private databases to check on U.S. residents, said Nancy Libin, a staff counsel at CDT. The Privacy Act of 1974 set rules for the use of government-controlled databases, but some government agencies have gotten around restrictions by contracting with private data brokers, such as ChoicePoint Inc., which announced a data breach affecting about 145,000 U.S. residents in February.