Data Breach Security Bill Criticized for Lack of Privacy Safeguards

The Data Security and Breach Notification Act – commonly referred to as the Data Breach Security Bill – was announced by President Obama earlier this year at the State of the Nations address. Last week the new bill was introduced, with the Subcommittee on Commerce, Manufacturing, and Trade having held a meeting yesterday to discuss the new bill.

The aim of the bill is to improve cybersecurity measures throughout the United States and introduce new standards to protect the privacy of consumers. The new legislation was deemed necessary, as while there are numerous pieces of legislation covering data privacy and security, according to Vice Chairman of the House Energy and Commerce Committee, Marsha Blackburn, and Rep. Peter Welch, the new bill will “”replace the current patchwork of laws” and introduce a single, national standard to protect the sensitive data of all consumers.

According to a statement released by Blackburn, “This bill will help enhance the security of sensitive information and provide much needed clarity by creating a national standard and ensure that consumers are notified of a breach without unreasonable delay,” she went on to say “It’s imperative that we take action to prevent hackers’ success and provide safeguards to consumers to protect their virtual selves if and when their data is compromised.”

The need for the new legislation is clear but there has already been some criticism of the bill voiced, in particular for failing to introduce sufficiently high standards of data security and also for a lack of solutions provided by the bill.

Welch said, “Washington has been asleep at the switch while millions of Americans have had their personal information stolen by cyber criminals. Most Americans would be shocked at how inadequate current laws are at safeguarding their sensitive financial information.” Although he did go on to say “while this draft bill is far from perfect, it is an important step in the right direction.”

Representative Frank Pallone, Jr., Ranking Member of the House Energy and Commerce Committee, and Representative Jan Schakowsky, Ranking Member of the Committee’s Commerce, Manufacturing and Trade Subcommittee, have both spoken out about their disappointment with the new legislation.

The pair released a joint statement saying “We have numerous concerns about the weakening of consumer protections overall, as well as the dilution of protections for customers of telecommunications and cable services.  We will continue to work for legislation that provides the strongest possible safeguards and protections for American consumers.”

The Data Security and Breach Notification Act

The Health Insurance Portability and Accountability Act of 1996 dictates what healthcare providers – and other covered entities – are permitted to do with PHI and introduced safeguards which must be employed to protect the privacy of patients.

The new bill does not specifically cover medical information, although it biometric information is covered if that data can allow an individual to be identified. This means that while it is not intended at this stage, the new Security Bill could be expanded to include healthcare information at a later stage.

Specific data included under the definition of “personal information” include:

  • Last name and initial or full name
  • Telephone numbers and addresses
  • Social Security, Driver’s License and other government ID numbers and codes
  • Financial details: Bank accounts, credit card information & debit card numbers
  • Mother’s maiden name
  • Date of birth
  • Other unique identification numbers

Once the bill is passed, organizations will be required to address security concerns relating to the above data, and if an incident occurs in which that data is compromised, breach notifications will need to be issued to all affected individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.