The Senate Judiciary Committee recently approved two bills on November 5, 2009.  The first bill, the Personal Data Privacy and Security Act of 2009 (S. 1490), amends the federal criminal code to make fraud in connection with the unauthorized access of sensitive personally identifiable information (“PII”) subject to federal racketeering charges.  The bill would also make the intentional and willful concealment of a breach illegal and require any agency or business entity engaged in interstate commerce that uses, accesses, transmits, stores, disposes of, or collects PII to notify affected individuals of a breach.

PII is defined under the act as “any information, or compilation of information, in electronic or digital form serving as a means of identification.”  “Means of identification” is used, as defined under 18 USC 1028(d)(7), to mean any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any:

  1. Name, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
  2. Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
  3. Unique electronic identification number, address, or routing code; or
  4. Telecommunication identifying information or access device.

Similarly, the second bill, the Data Breach Notification Act (S. 139), would require any federal agency and business entity engaged in interstate commerce to notify affected individuals of a breach involving their PII (also as defined above).  Notice would not be required if (i) notification would hinder national security or a law enforcement investigation, or (ii) an agency or a business entity provided notice, within 45 days after discovery of the security breach, to the United States Secret Service that it has determined that there is “no significant risk that a security breach has resulted in, or will result in, harm to the individual whose sensitive personally identifiable information was subject to the security breach.”  The bill would also require notice to the Secret Service if the breach involved (i) the records of more than 10,000 individuals, (ii) a database containing the PII of more than 1 million people, (iii) databases owned by the federal government, or (iv) the PII of federal government employees and contractors involved in national security or law enforcement.

These bills now face a full vote in the Senate.  We will update this post with any new developments.

Click here to view the Personal Data Privacy and Security Act of 2009 (S. 1490) and here to view the Data Breach Notification Act (S. 139).