Sen. Pat Toomey (R-PA) recently introduced a bill in the United States Senate that would establish a federal breach notification requirement for certain companies and preempt state breach notification laws that are currently in effect for 46 states.  The Data Security and Breach Notification Act of 2012, S.3333, would require companies that “collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security.”  Toomey cited the “messy patchwork of 46 different state laws” that companies must account for in responding to a data breach, and asserted that, by preempting those laws, his bill would “establish a single reasonable standard for information security and breach notification practices.”

The bill applies to entities that are subject to the Federal Trade Commission’s jurisdiction under Section 5 of the FTC Act, and “common carriers subject to the Communications Act of 1934.”  S.3333 would not apply to financial institutions that are covered under Title V of the Gramm-Leach-Bliley Act or covered entities that are subject to breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).Continue Reading Sen. Toomey’s Federal Breach Notification Bill Would Preempt More Restrictive State Laws