The U.S. Senate Judiciary Committee has approved two bills that would require organizations with data breaches to report them to potential victims.
The Judiciary Committee on Thursday voted to approve both the Personal Data Privacy and Security Act and the Data Breach Notification Act by large majorities.
The Data Breach Notification Act, sponsored by Senator Dianne Feinstein, a California Democrat, would require U.S. agencies and businesses that engage in interstate commerce to report data breaches to victims whose personal information "has been, or is reasonably believed to have been, accessed, or acquired."
Feinstein's bill would also require agencies and businesses to report large data breaches to the U.S. Secret Service
The Personal Data Privacy and Security Act would also require that organizations that maintain personal data give notice to potential victims and law-enforcement authorities when they have a data breach. It would increase criminal penalties for electronic-data theft and allow people to have access to, and correct, personal data held by commercial data brokers.
The second bill, sponsored by Senator Patrick Leahy, the Judiciary Committee chairman and a Vermont Democrat, would also require the U.S. government to establish rules protecting privacy and security when it uses information from commercial data brokers.
Several tech groups have called for the U.S. Congress to pass national data-breach notification legislation. Since a series of high-profile data breaches in early 2005, about 45 states have passed data-breach notification laws.
It's difficult for companies to comply with the separate state laws, officials from cybersecurity product vendor Symantec have said.
Symantec CEO Enrique Salem sent a letter to the committee Wednesday in support of the Leahy data-breach bill.
The Leahy bill "is a major step forward towards enacting a comprehensive, uniform national framework to better prevent breaches of sensitive consumer information as well as setting a clear standard for effective notification should a breach occur," Salem wrote.
Symantec supports the bill's language saying that if personal data is encrypted or otherwise rendered unusable, organizations don't have to report the data breach, the letter said. The committee has recognized "there are widely accepted industry best practices and standards for data security that companies can look to as a road map for compliance when protecting electronic data," Salem wrote.
The Business Software Alliance, a trade group, also praised the committee for approving both bills.
"In recent years, hundreds of millions of individual records containing sensitive personal information have been involved in computer security breaches," BSA President and CEO Robert Holleyman said in a statement. "The frequency and severity of data breaches have prompted more than 45 states to pass data security laws, creating a confusing patchwork quilt of regulations."
Both bills now head to the full Senate for votes. The timeline for action in the Senate is unclear.