Are You Ready for Brazil’s New Data Protection Law?
27 December 2018
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on...
Blog: Chronicle of Data Protection | 15 June 2011
A House subcommittee held a hearing yesterday on the SAFE Data Act, a draft data security and breach notification bill that, among other things, would require businesses to minimize the amount of personal information they maintain about consumers and notify law enforcement within a very short time frame -- within 48 hours of discovering a breach. The draft legislation, which was presented by Rep. Mary Bono Mack (R-CA), is based upon a similar proposal that passed the House in 2009 but stalled in the Senate.
Rep. Bono Mack, the Chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, called the draft bill “an upgraded, 2.0 version of data-security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon, which put more than 100 million consumer accounts at risk.” The proposed legislation would:
These requirements would be enforced by the FTC and state attorneys general. The draft bill does not provide for a private right of action, and it specifically exempts from coverage entities subject to GLBA and HIPAA data security requirements.
At yesterday’s hearing before the Subcommittee on Commerce, Manufacturing, and Trade—which also held a hearing on June 2 regarding the Sony and Epsilon breaches, as well as a general hearing on May 4 about the ongoing threat of data breaches to consumers—reactions to the Bono Mack proposal were mixed. FTC Commission Edith Rodriguez, a witness at the hearing, expressed concern that the draft bill did not set a specific deadline for the risk assessment that a company must complete following a breach. “There out to be some form of cutoff period to ensure that consumers receive appropriate notification,” Rodriguez said.
One lawmaker criticized the draft bill’s data minimization requirements, noting that data about consumers may be retained for a long period of time for good reason, while others said the proposal went too far by giving the FTC authority to change the definition of personal information and by requiring notification when there is a “reasonable” risk of harm (instead of the narrower “significant” risk standard).
If the draft legislation is formally introduced in the House—and Bono Mack has said she is hoping to move the bill through the chamber before the August recess—it will join a growing number of privacy and data security bills that have been introduced in Congress this year. Indeed, on the same day as the hearing on the Bono Mack proposal, Senators John Rockefeller and Mark Pryor introduced legislation that would also require companies to safeguard personal information and inform consumers in the event of a breach. Separately on that day, Senators Al Franken and Richard Blumenthal introduced a bill that would require mobile device makers and app developers to obtain consumers’ express consent before collecting and sharing their location information.