Sen. Pat Toomey (R-Pa.) has introduced the Data Security and Breach Notification Act (S. 3333), a bill that would preempt state data breach laws -- he says there are 46 different ones -- and replace them with a national standard.
In the event of breaches, companies possessing personal data would have to contact consumers. The bill, a copy of which was posted by the Hill Friday requires covered entities, like ISPs, to take "reasonable measures" to protect information and to report breaches to covered entities transmitting, routing or providing storage of such data, so long as they can be "reasonably identified, as well as informing law enforcement."
Notice of a breach can be delayed by written request of a law enforcement agency -- rather than, say, requiring a court order -- if to reveal it impedes a civil or criminal investigation. It can also be delayed for reasons of national security.
A violation of the national standard will be considered an unfair and deceptive practice in violation of the Federal Trade Commission Act, with a maximum civil penalty of $500,000 for all violations related to the same omission.
Original co-sponsors, all Republicans, are Sens. Roy Blunt (R-Mo.), Jim DeMint (R-S.C.), Dean Heller (R-Nev.) and Olympia Snowe (R-Maine).
"Senator Toomey's data security legislation is a significant step towards modernizing data-security rules for the Internet age," said Verizon in a statement. "It appropriately imposes the same rules for all companies in the Internet ecosystem, and simplifies data security by providing consumers with a single stop at the FTC for data security issues. No matter how consumers provided their data -- using an app, visiting a website, using a network, or running software -- they want one place to go when there are concerns about whether their information is safe and secure."