On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that notice be provided to “major media outlets” within a state if the number of state residents affected by the breach exceeds 5,000, and also requires that notice be given to the Secret Service if the number of affected individuals exceeds 10,000 or if the affected database contains information of more than 1,000,000 individuals. The bill provides for limited exceptions for law enforcement or national security purposes.
The bill requires that the notice include (1) a description of the categories of information that was acquired by an unauthorized person, (2) a toll-free number that the individual may use to contact the agency or business and learn what types of information the agency or business maintained about the individual, and (3) the toll-free contact telephone numbers and addresses of major credit reporting agencies. The first requirement of the notification’s content is particularly interesting, as several states (including Massachusetts) currently forbid the notification to include the nature of the breach. Bill S. 139 states that it does not provide a private right of action, meaning that a private individual may not bring suit under the bill. Finally, the bill provides that its provisions “shall supersede any other provision of Federal law or any provision of law of any state relating to notification by a business entity . . . or agency.”
Senator Feinstein introduced a similar bill in 2007 which failed to pass the Senate. This year’s version, which has no co-sponsors, has been referred to the Judiciary Committee.
Bill S. 141, entitled the “Protecting the Privacy of Social Security Numbers Act,” is co-sponsored by Senators Judd Gregg (R-NH) and Olympia Snowe (R-ME). It prohibits any person from displaying, selling, purchasing an individual’s Social Security number without the affirmative, express consent of the individual, subject to a number of exceptions (e.g., for national security, law enforcement, or public health purposes, or if the display is required, authorized, or excepted under any Federal law). The bill also would prohibit any federal, state, or local government from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks. [These provisions parallel recent recommendations from the FTC as we Further, the bill prohibits any federal, state, or local agency from employing inmates in any position that would give the inmate access to Social Security numbers of other individuals. Finally, the bill would provide limits on when businesses may ask customers for their Social Security numbers.
Unlike the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act provides for a private right of action, allowing any aggrieved individual to sue for an injunction or monetary damages (which could be tripled if a court finds a willful and knowing violation). As with the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act has been referred to the Judiciary Committee.
Given the many challenges facing the federal government this upcoming year as it transitions into the Obama administration, it is difficult to predict whether Senator Feinstein’s bills will face resistance. However, all signs point to a recession driven boom of cybercrime, identity theft and security breaches that will continue to expand in 2009 as it did in 2008. Given this environment, Congress will probably enact some version of these proposals sooner rather than later.