Data Security: Federal Legislative Approaches

摘要

Several data breach notification and data security bills were considered in the 109th Congress to respond to increasing incidences of data breaches involving personal information, and several congressional hearings were held on various aspects of the issue. In the 109th Congress, The Veterans Benefits, Health Care, and Information Technology Act of 2006 (P.L. 109-461) was passed which, among other things, requires the Department of Veterans Affairs (VA) to provide notice to veterans in case of breach of veterans personal data, notice to law enforcement officials and certain congressional committees when a data breach occurs, for the performance of a risk analysis if unauthorized access to sensitive personal information occurs, and for notification to those affected and for free credit monitoring services if this reveals a 'reasonable risk' for misuses of personal information. Although six other data security bills were reported out of committee in the 109th Congress, none were enacted into law. Three data security bills were reported by the Senate Commerce and Judiciary committees: S. 1326, S. 1408, and S. 1789. Three other data security bills were reported by the House Energy and Commerce, Financial Services, and Judiciary committees: H.R. 4127, H.R. 3997, and H.R. 5318. The passage of such comprehensive data breach legislation in the 109th Congress was precluded by jurisdictional conflicts, along with unreconcilable approaches on credit freezes, exceptions for law enforcement and intelligence agencies, exemptions for financial institutions, notice requirements, notification triggers, enforcement authorities, and preemption.