As it usually happens in a hot and popular issue, there are many congressmen who want to be the ones to take credit for the legislation that protects the public from evil and thus gain political capital. In theory this is good, as long as Congress is able to sort through the pending bills, combine and resolve conflicting provisions, and get the law enacted quickly. Seems this is not the case with the data breach legislation pending in Congress.

A new bill was introduced on June 26 by Sens. Bennett (R-Utah) and Carper (D-Del.) designed to create a uniform national standard to safeguard sensitive information and provide consumer notification of data security breaches. The Data Security Act of 2006 (S. 3568) is expected to be taken up by the Senate Banking Committee, which shares jurisdiction over data security with two other Senate committees. Under the proposed bill, companies would be required to notify their customers about data breaches posing a risk of "substantial harm or inconvenience," including identity theft or account fraud situations where consumers might experience financial loss or be forced to expend time and effort to correct false information. It is interesting the broad definition of harm that would trigger notification requirements - presumably any data breach would force a consumer to either expend time and effort to correct or false information or be threatened by financial loss.

Although financial institutions have similar requirements under current Gramm-Leach-Bliley Act of 1999, the new bill would apply to a broader range of entities if they handle sensitive information.

"Though current law requires financial institutions to protect the security and confidentiality of customer information, we have to expand this reach," said Bennett, who chairs the Senate Banking Subcommittee on Financial Institutions. "Many of the recent breaches in data security have occurred outside financial institutions’ networks."

Under the Bennett-Carper bill, "substantial  harm or inconvenience" would not include changing an account number or closing an account, sponsors said. Also, the measure would exempt notification that could not be used to commit identity theft or account fraud, including information that is encrypted or redacted. Also, a safe harbor is provided to financial institutions deemed in compliance with GLB requirements. To address the uniformity issue, a preemption provision is included that would preempt all state laws relating to security and breach notification, including the California data breach disclosure notification law we discussed some time ago.

However, not everything is so neat and clear in Congress these days. The Senate Judiciary Committee passed two different data breach bills in 2005. Sens. Specter (R-Pa) and Leahy (D-Vt) introduced the Personal Data Privacy and Security Act of 2005 (S. 1789) which would require notification broadly to "any resident in the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been accessed or acquired" as a result of data security breach. Exemption from this broad reporting requirement can be obtained only by filing with the U.S. Secret Service indicating that the breach poses "no significant risk of harm" to consumers.

A separate bill, introduced by Sen. Sessions (R-Ala.), called Notification of Risk to Personal Data Act (S. 1326) would require that consumers be notified when there is a "significant risk of identity theft."

In addition to the Senate bills, there are numerous data breach-related bills in the House as well. While it is nice to see that legislators are picking up on the emergency need of data breach legislation, it is not certain how quickly the politicians on the Hill will be able to reach an agreement on the terms and enact a good data breach law.