PRISM Update

Congress Agrees: Data Breaches are Serious Business

PRISM International is tracking multiple bills in the U.S. House and Senate that deal with data breach and identity theft provisions. Clearly, the barrage of high-profile data breach events has attracted the attention of Congress and regulators. We expect to see action on this issue soon.

The most likely candidate for passage is S 1151, The Personal Data and Privacy Security Act of 2011. This bill, originally authored by Sen. Patrick Leahy, is closely associated with bills sponsored by Sens. Blumenthal, Franken and Feinstein. The bill has been voted out of committee and is on the Senate legislative calendar.

S 1151 creates a crime for concealing data breaches punishable by up to five years in prison. Title III of the bill deals with data security of personally identifiable information, which applies to organizations storing sensitive personally identifiable information in digital or electronic form for 10,000 or more persons. There is an exemption for companies already functioning as a business associate in compliance with HIPAA (Health Insurance Portability and Accountability Act).

Covered entities outsourcing to the private sector are required to use appropriate due diligence based on the capabilities of the outsourcing partners and to ensure by contract that information will remain protected. Penalties of up to $500,000 per violation may be imposed on those who fail to meet the guidelines. Both the Federal Trade Commission and state attorneys general can bring a cause of action against a business entity. This law would supersede state law for those covered by the requirements. The bill also has a robust data breach notification section.

Similar bills in Congress do not appear to have enough support to make it out of committee.

Congress is not alone in its concern. PRISM International has created a Privacy Plus Certification Program, which will start as a self-certification program before it transitions to an externally audited program after 2012. It addresses the primary areas of concern for industry operators—administrative safeguards, physical safeguards and technology safeguards. Information about the first certification workshop has been released and is available for review. Because attendance is limited for the first certification workshop, PRISM International members will be given first priority. A second certification workshop will be held in conjunction with PRISM International's Annual Conference in Las Vegas in May. More information is available at http://prismintl.org/events/2012/01/prism-international-privacy-certification-workshop.


 

Jim Booth is executive director PRISM International, Garner, N.C., and can be reached at jim@prismintl.org.