• Sources of Privacy Law
• General Principles of Privacy Protection
• Protected Personal Information
• Companies with Privacy Responsibilities
• Legal Services on Privacy Law
• Pending U.S. Legislation
• Technology Resources
• Legal Resources

Privacy and Security Breach Portal: Pending U.S. Legislation

Comprehensive privacy legislation is pending in the U.S. Congress because of the large number of state privacy laws that affect interstate and international commerce.

Covered Business Entities. Federal legislation has been pending for a few years, and each year new proposals are submitted. As an example, under the draft Personal Data Privacy and Security Act of 2007, 495 (110th Cong., 1st Sess.), new data privacy rules would apply to each “business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons.” This law would not apply to “financial institutions” regulated under the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801 et seq. or covered entities subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.).

Mandatory Data Privacy and Security Programs. Under Section 302(e) of the draft Personal Data Privacy and Security Act of 2007, any such covered business must adopt a data privacy and security program including a security assessment in case of ongoing changes or specific changes in operations. Specifically, due diligence would be required for regularly monitoring , evaluating, and adjusting, as appropriate its data privacy and security program in light of any relevant changes in—

1. technology;
2. the sensitivity of personally identifiable information;
3. internal or external threats to personally identifiable information; and
4. the changing business arrangements of the business entity, such as--
• mergers and acquisitions;
• alliances and joint ventures;
• outsourcing arrangements;
• bankruptcy; and
• changes to sensitive personally identifiable information systems.

Each covered business entity would need to adopt “a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities.” Id, draft Section 302(a)(1). Each situation would be subject to a balancing of protections that are “commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity.” Id, draft Section 302(a)(4).

Such programs are generally well known to financial institutions and businesses dealing in healthcare information. However, other businesses need to adopt at least minimal programs to avoid potential claims and manage potential liabilities.

Criminal Non-Disclosure. As of early 2008, under this draft federal legislation, business owners would be subject to a new federal offense, with fines and/or imprisonment for up to five years, for “knowingly” fails to provide notice of a security breach involving sensitive personally identifiable information. Privacy and Cyber-Crime Enforcement Act of 2007, HR. 4175, introduced Nov. 14, 2007 (not enacted). If enacted, such legislation would invite judicial sentencing that, under the Federal Sentencing Guidelines, considers factors such as creation of an environment and tone at the leadership level for compliance with the law.


© Copyright 2004-2008 Bierce & Kenerson, P.C.^SM.
Attorney Advertising.
Privacy Policy | Disclaimer | Copyright Notice | Site Map

Contact Us

SEARCH B&K.COM: