Friday, January 09, 2009

Federal Bills on Breach Notification, SSN Use Introduced in Senate

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Two bills proposing federal laws regulating consumer privacy were introduced in the Senate on January 6.

The proposed “Data Breach Notification Act” (S. 139), sponsored by Sen. Dianne Feinstein (D-Calif.) would require any agency or any business entity engaged in interstate commerce that is in possession of sensitive personally-identifiable information to notify the subjects of such information when security breaches are discovered.

Notifications would have to be made “without unreasonable delay” by mail, telephone, or (if consent has been given by the data subject) e-mail. If notice of a breach is given to more than 5,000 individuals, notice must also be provided to all major consumer reporting agencies.

The U.S. Attorney General and state attorneys general would be charged with enforcement of the measure. Violations would be subject to civil penalties. The proposal would not create a private right of action.

Sen. Feinstein also sponsored, with Sen. Judd Gregg (R-N.H.), legislation aimed at curbing the growing epidemic of identity theft by making it harder for criminals to steal another person’s Social Security Number.

The proposed “Protecting the Privacy of Social Security Numbers Act (S. 141) would prohibit the sale or display of Social Security Numbers to the general public without the number holder’s consent. The measure would also require government agencies to take steps to protect Social Security Numbers from being displayed or accessed.

The proposal would prohibit commercial entities from requiring an individual to provide his or her Social Security Number when purchasing a good or service, with limited exceptions, such as for purposes relating to law enforcement. Those misusing a Social Security Number would be subject to civil and criminal penalties.

The legislation would also provide a private right of action in state court to aggrieved persons. Plaintiffs would be able to seek injunctive relief, as well as actual damages or statutory damages up to $500 per violation.

No comments: