RL34120
Federal Information Security and Data Breach Notification Laws
January 29, 2009

Download Locations

Summary

The following report describes information security and data breach notification requirements included in the Privacy Act, the Federal Information Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act. Also included in this report is a brief summary of the Payment Card Industry Data Security Standard (PCI DSS), an industry regulation developed by VISA, MasterCard, and other bank card distributors. Information security laws are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to personally identifiable information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a breach notification policy, and include requirements for incident reporting and handling and external breach notification. During the 110th Congress, three data security bills—S. 239 (Feinstein), S. 495 (Leahy), and S. 1178 (Inouye)—were reported favorably out of Senate committees. Those bills include information security and data breach notification requirements. Several other data security bills were also introduced. The 109th and 110th Congresses did not pass data security legislation. In the 111th Congress, expectations are that efforts to move data security legislation will continue this year. As part of H.R. 1, the American Recovery and Reinvestment Act of 2009, the 111th Congress is considering legislation to promote the widespread adoption of health information technology (HIT). H.R. 1 includes provisions dealing with the security of health information, and requires covered entities to notify affected persons in cases of breach of protected health information. For related reports, see the Current Legislative Issues Web page for "Privacy and Data Security" available at http://www.crs.gov. This report will be updated.

    Related Legislation:
  • S.239
  • S.495
  • S.1178
  • H.R.1

XML

Available Versions