The Subcommittee on Commerce, Trade, and Consumer Protection held a legislative hearing last week to discuss H.R. 2221, the proposed bill for the Act that would be known as the Data Accountability and Trust Act. The bill was first proposed by the 109th Congress back in 2005. If passed, the Act would require businesses that retain customers’ personal data to implement certain security policies and procedures aimed at protecting such data. The Act would also require such businesses to notify its customers of any security breaches.
Many states have already passed similar laws. California, often at the forefront of consumer protection laws, was the first state to adopt a data breach notification law back in 2003. Like other states with similar laws, California’s data breach notification law applies to any business with respect to its California resident customers, regardless of where the business is located. Accordingly, if a California resident is a customer of a Pennsylvania company and the Pennsylvania company is the victim of a data breach, the Pennsylvania company must notify all of its California customers of the data breach in compliance with California’s data breach notification law.
Because so many businesses, particularly web-based businesses, operate on a nation-wide level and have customers in all 50 states, many companies are already adopting data security policies that comply with California and other states’ laws. These companies will be well ahead of the curve and will not have to scramble to make major policy changes if (or more likely when) the Data Accountability and Trust Act (or similar federal legislation) is passed.
{ 0 comments… add one now }