Data security has become an increasingly hot button issue as a result of the botched launch of the Affordable Care Act’s health insurance exchange web site and the recent Target Corp. data breach that compromised the credit and debit card data of millions of customers.
On January 10, the House of Representatives passed the Health Exchange Security and Transparency Act (H.R. 3811), which requires the Department of Health and Human Services to notify all individuals whose personally identifiable information is exposed in a data breach of a healthcare exchange within two days of discovering the breach. The legislation was in response to reports that the government’s health insurance exchange web site was launched before final security testing was completed, although there have been no reports of data breaches in the system. The Senate, with its Democratic majority, is unlikely to consider the legislation. The Democrats’ Committee on Commerce & Energy has suggested the purpose of the bill is to discourage Americans from signing up on the exchange by suggesting it is not secure, though the committee asserts the security measures go beyond federal IT standards.
Three Congressional committees – Senate Banking, Senate Judiciary, and House Energy and Commerce – held hearings the week of February 3 that examined data breaches and their impact on customers. Two of the hearings featured a top executive from Target Corp., as well as Neiman Marcus, which was hit with a three-month data breach affecting 1.1 million of its customers. All three committees also heard testimony from officials from the Federal Trade Commission, the Department of Homeland Security, the U.S. Secret Service, and executives of other large retailers.
The Target and Neiman Marcus executives briefed the panels on the details of the data breach and faced a barrage of questions about technology improvements that could thwart future attacks, as well as procedures for telling customers when their personal information has been compromised. On January 31, the New York Times reported that hackers from Eastern Europe are believed to be responsible for those data thefts at Target and as many as a half dozen other retailers.
The Target data breach has led to the introduction of several high profile Senate bills. On January 8, Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, introduced the Personal Data Privacy and Security Act. The bill (S. 1897) would establish a national standard for data breach notifications and would require businesses to safeguard consumers’ personal information from cyber threats. It would also impose criminal penalties for individuals who intentionally conceal a data breach that causes economic damage to consumers, and would require companies to implement internal policies to protect the personal data they collect.
On January 15, Senators Tom Carper (D-DE) and Roy Blunt (R-MO) introduced a bipartisan bill (S. 1927) to replace the current patchwork of state laws and establish one set of national standards for businesses to safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud.
In addition, Sen. Jay Rockefeller (D-WV), Chairman of the Senate Commerce, Science and Transportation Committee, introduced the Data Security and Breach Notification Act of 2014, which would require the Federal Trade Commission to issue data security standards for companies that hold consumers’ personal and financial information. The bill also would implement requirements for the prompt notification of customers in the event of a data breach.