Sen. Pat Toomey (R-Pa.) has introduced the Data Security and
Breach Notification Act (S. 3333), a bill that would preempt state data breach
laws -- Toomey says there are 46 different ones -- and replace them with a
national standard. In the event of breaches, companies possessing personal data
would have to contact consumers.
The bill, a copy of which was posted by the Hill Friday
requires covered entities, like ISPs, to take "reasonable measures"
to protect information and to report breaches to covered entities transmitting,
routing or providing storage of such data, so long as they can be
"reasonably identified, as well as informing law enforcement."
Notice of a breach can be delayed by written request of a
law enforcement agency -- rather than, say, requiring a court order -- if to
reveal it impedes a civil or criminal investigation. It can also be delayed for
reasons of national security.
A violation of the national standard will be considered an
unfair and deceptive practice in violation of the Federal Trade Commission Act,
with a maximum civil penalty of $500,000 for all violations related to the same
Original co-sponsors, all Republicans, are Sens. Roy Blunt
(R-Mo.), Jim DeMint (R-S.C.), Dean Heller (R-Nev.) and Olympia Snowe (R-Maine).
"Senator Toomey's data security legislation is a significant
step towards modernizing data-security rules for the Internet age," said
Verizon in a statement. "It appropriately imposes the same rules for all
companies in the Internet ecosystem, and simplifies data security by providing
consumers with a single stop at the FTC for data security issues. No matter how
consumers provided their data -- using an app, visiting a website, using a
network, or running software -- they want one place to go when there are
concerns about whether their information is safe and secure."