H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
- (i) Social Security number
- (ii) Driver’s license number or other State identification number
- (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”
Some more details include:
- The Federal Trade Commission would be the responsible agency.
- The FTC would ultimately define the proper technical procedures for protecting data.
- Organizations that have data need to establish a data security policy.
- Organizations must identify an information security officer.
- Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
- Organizations need a process for securely destroying data that is no longer required.
- Breaches need to be reported to the consumers affected, and the FTC, unless:
- “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
- The organization experiencing the breach does not fall under the jurisdiction of the FTC.
Finally a federal law is coming for the definition of a breach and baseline for governance.