A new bill introduced in the House on Wednesday would require companies to notify consumers within 30 days if hackers obtain “sensitive” information — including photos, geolocation data and medical information.
The Consumer Privacy Protection Act, introduced by Rep. David Cicilline (D-R.I. ) and backed by other Democrats, is a companion bill to a Senate measure proposed earlier this year by Patrick Leahy (D-Vt.) and supported by Richard Blumenthal (D-Conn.), Al Franken (D-Minn.), Ed Markey (D-Mass.), Elizabeth Warren (D-Mass.) and Ron Wyden (D-Ore.).
The measure also requires companies to implement security procedures, including ones to minimize the amount of “sensitive personally identifiable information” they retain. The concept of sensitive personally identifiable information is defined broadly to include bank account numbers and social security numbers, as well as data like online usernames and passwords, health-related information and password-protected photos and videos.
The bill's requirements apply only to companies with information about more than 10,000 customers.
The Consumer Privacy Protection Act — one of many data-breach proposals now under consideration on Capitol Hill — has drawn the support of consumer advocates, who favor the measure because it doesn't trump tougher state laws.
"Rep. Cicilline should be commended for introducing this common-sense alternative to other data breach and data security bills,” Public Knowledge's vice president of government affairs Chris Lewis said in a statement. “This bill creates a strong federal standard of privacy protections without preempting those state laws that have an even higher standard of protection."
Consumer Watchdog's Privacy Project director John Simpson added that the bill “provides important protections for consumers’ data.”
The Direct Marketing Association has said it supports a national data breach bill that would preempt all state legislation.