Federal Information Security and Data Breach Notification Laws
LIBRARY OF CONGRESS WASHINGTON DC CONGRESSIONAL RESEARCH SERVICE
Pagination or Media Count:
The following report describes information security and data breach notification requirements included in the Privacy Act, the Federal Information Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act. Also included in this report is a brief summary of the Payment Card Industry Data Security Standard PCI DSS, an industry regulation developed by VISA, MasterCard, and other bank card distributors. Information security laws are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to personally identifiable information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a breach notification policy, and include requirements for incident reporting and handling and external breach notification. During the 110th Congress, three data security bills--S. 239 Feinstein, S. 495 Leahy, and S. 1178 Inouye--were reported favorably out of Senate committees. Those bills include information security and data breach notification requirements. Several other data security bills were also introduced. The 109th and 110th Congresses did not pass data security legislation. In the 111th Congress, expectations are that efforts to move data security legislation will continue this year.
- Information Science