Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

  • The Judiciary Committee approved both measures by significant majorities.
  • The number of data breaches and complaints about them continue to mount.
  • Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members’ reelection efforts.
  • The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . .