A national data breach notification bill was passed in the U.S. House of Representatives on Tuesday, December 8, 2009. 

The Data Accountability and Trust Act (http://thomas.loc.gov/cgi-bin/bdquery/z?d111:h.r.02221:/)
would require any organization that experiences a breach of electronic data containing personal information to notify all U.S. individuals whose information is breached. The law requires that the Federal Trade Commission to also be notified.

 In addition, organizations would be required to designate an information security officer and establish a data security policy. The policy would have to address the collection of personal information and include a process for identifying and correcting system vulnerabilities and disposing electronic data.

 Under the bill, personal information is defined as, “an individual’s first name or initial and last name, or address, or phone number,” along with at least one of the following: Social Security number; driver’s license number or other state identification number; financial account number, credit or debit card number, along with the security/access code or password needed to access the financial account.”

 The bill was introduced April 30 by Rep. Bobby Rush D-Ill., chairman of the House Subcommittee on Commerce, Trade and Consumer Protection. Next, it will go to the Senate for a vote.

 ”For the past five years, the Privacy Rights Clearinghouse contends that nearly 340 million records containing sensitive personal information have been involved in security breaches,” Rush said Tuesday on the House floor. “However, there is no comprehensive federal law that requires all companies that hold consumers’ personal information to implement reasonable measures to protect that data. Also, there is no federal law that requires companies that experience a data breach to provide notice to those consumers whose personal information was compromised.”

 There have been a number of similar bills recently introduced in Congress, including two federal data security laws, which have cleared the U.S. Senate Judiciary Committee. None, however, have previously passed a vote on the House floor.

 ”The ball is in the Senate’s court,” Kellogg said. “There will need to be some work in the Senate to bring together different proposals to move this legislation forward. Hopefully we can finally see a federal law.”

 The act would be enforced by the FTC, the bill states. Also, the FTC would be required to place a notice on its website about breaches that would be of public interest. Organizations that do not fall under the FTC’s jurisdiction are not required to notify breach victims.