October 22, 2021

Volume XI, Number 295

Advertisement
Advertisement

October 21, 2021

Subscribe to Latest Legal News and Analysis

October 20, 2021

Subscribe to Latest Legal News and Analysis

October 19, 2021

Subscribe to Latest Legal News and Analysis

Senate Bill Introduced to Protect Personally Identifiable Information

Primarily motivated by the several recent massive data breaches, Senate Democrats recently introduced a bill geared toward protecting Americans’ personal information against cyber attacks and to ensure timely notification and protection when data is breached.

The Consumer Privacy Protection Act of 2017 provides that companies that collect and hold data on at least 10,000 Americans would be required to implement “a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.”

The legislation protects broad categories of data, including: Social Security, drivers’ license, and passport numbers, financial account numbers or debit/credit card numbers in combination with a security code or PIN, online usernames and passwords, unique biometric data such as fingerprints and retina or iris scans, physical and mental health data, geolocation data, and private digital photographs and videos.

The bill would also allow the United States Attorney General, state attorneys general, and the Federal Trade Commission to enforce alleged violations of the breach notification or security rules, which could subject companies to civil penalties of at least $16,500, depending on the number of records that were breached. The bill does not provide for a private right of action.

The legislation would require notification to be made “as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach.”

The law would also require companies to provide “five years of appropriate identity theft prevention and mitigation services” at no cost to any individual who asks for it, and prohibits automatic enrollment in the identity theft prevention and mitigation services without their consent.

The text of the bill can be found here.

It is worth noting that shortly following the introduction of the Consumer Privacy Protection Act, three Democrat senators introduced the Data Security and Breach Notification Act that would require companies to report data breaches within 30 days of becoming aware of a breach. An individual who conceals a data breach could face a penalty of up to five years in prison. This bill comes on the heels of Uber’s recent data breach announcement that hackers stole 57 million records in 2016, and that Uber paid the hackers $100,000 to destroy the documents.

We will continue to report on the status of these bills and other legislative proposals for heightened data security at the federal level, in light of the massive data breaches of late, as developments unfold.

Jackson Lewis P.C. © 2021National Law Review, Volume VII, Number 342
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jeffrey M. Schlossberg, Employment Attorney, Jackson Lewis, Law firm
Principal

Jeffrey M. Schlossberg is a Principal in the Long Island, New York, Office of Jackson Lewis P.C. Mr. Schlossberg has devoted his entire career to the employment law field.

Mr. Schlossberg has extensive experience in handling all aspects of the employer-employee relationship. Areas of concentration include: employment discrimination prevention and litigation; workplace harassment policy development and compliance; social media and information privacy in the workplace; family and medical leave; disability matters; wage and...

631-247-4614
Advertisement
Advertisement
Advertisement