Senator Toomey’s Data Breach Notification Proposal is Good Policy, But Faces Uphill Battle

Last week, Senator Toomey (R-Penn.) released the “Data Security and Breach Notification Act of 2012,” and is co-sponsored by Senator Olympia Snowe, Jim Demint, Roy Blunt, and Dean Heller.

There are several provisions to this proposed data breach notification legislation, but among the highlights is a requirement that a covered entity provide “ . . . notice of any breach of the security of the system following discovery by the covered entity . . .” so long as the covered entity “reasonably believes” that user information was “accessed and acquired by an unauthorized person and that the covered entity reasonably believes has caused or will cause identify theft or other financial harm.”

The bill also expands a requirement that information that is encrypted is exempted from notification, including information that “by any other method or technology that renders the data elements unusable.”  The bill preempts state data breach notification laws and precludes private rights of action.   The law imposes a maximum penalty of $500K per breach incident.

Overall, to the extent a data breach notification law gets passed during the 2012 legislative session this legislation is the least burdensome on businesses when compared to Senator Feinstein’s Data Breach Bill or even Rep. Bono Mack’s data breach notification proposal.

It still will be an uphill battle to get data breach legislation passed due to the concern that many in the House Republican leadership who have serious concerns with the pre-emption provision, which industry believes is a critical provision for any data breach bill.  There are many inside the beltway policymakers who believe that to the extent data breach legislation is adopted it will hinge on whether a data breach notification bill will be successfully added as amendment to a cybersecurity bill.