STATUS: Passed the House of Representatives on Dec 11, 2009. Must also be passed by the Senate.
SUMMARY:
This bill is similar in intent and language to multiple state breach notification laws that have already been passed. In terms of personal information for example, H.R. 2221 defines the terms as "an individual's first name or initial and last name, or address, or phone number, in combination with any one or more of key elemets such as Social Security number, Driver's license number or other State identification number, financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account.
H.R. 2221 sets up the Federal Trade Commission (FTC) as the primary enforcement agency responsible for defining the proper technical procedures for protecting data. The States Attorneys for individual states may also be involved in enforcement following data breaches.
Among the requirements set forth by the Act, organizations holding private data must establish a data security policy, identify an information security officer and set up a process for identifying vulnerabilities. Organizations must also monitor for breaches and establish processes for securely destroying end-of-life data on hard drives and other electronic media.
There are two interesting features of this Act in it's present form:
The FTC does not have jurisdiction over a fairly wide range of entities that maintain huge inventories of private data. Those entities include government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities.
However, the oversight of so called data brokers has been increased.
The other key point lies in the following provision, quoted directly here: (a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly
(1) requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and
(2) requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information.
The net effect of the suddent flurry of new data security laws suggests that an interlocking, conflicting and overlapping matrix of government oversight is being created that will make the job of compliance all the more
Complete listing and links for data security regulations and legislation.
Civil Penalties
H.R. 2221 specifies civil penaties for violations of Section 2 of the Act, which define requirements for information security. This means that organizations can be fined for not complying with previously noted requirements such as establishing data security policies and naming a data securiting officer. The law provides for penalties up to $11,000 a day for each day the organization is out of compliance.
DATA also specified penalties for violations of Section 3, which are data breaches. This amount is calculated as follows: "the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000."
Complete listing and links for data security regulations and legislation.
The Hammer Erases ATA hard drives securely, allows re-use.
