Last Thursday, the Senate Judiciary Committee began its consideration of the several pending data security bills by marking up S. 1151, the legislation introduced by Sen. Patrick Leahy (D-VT). 

S. 1151 would require business entities to develop a data privacy and security plan for protecting sensitive personally identifiable information, require agencies and business entities to notify U.S. residents in the event of a security breach involving such information, and impose criminal penalties for intentionally and willfully failing to provide notice of a security breach.

The original version of the bill also contained separate privacy requirements for data brokers, but a substitute amendment deleting that title was adopted by the Committee on Thursday.  The panel also accepted an amendment proposed by Sen. Chuck Grassley (R-IO), which clarified that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of Internet terms of service agreements or employment agreements restricting computer access, and a separate manager’s amendment which limited civil liability and penalties.

Other amendments offered by Sen. Grassley and Sen. Al Franken (D-MN) — which, among other things, would impose a three-year sentencing minimum for criminal data breach activities, prohibit state attorneys general from hiring outside private counsel on a contingency fee basis to assist with data privacy litigation, and impose data minimization requirements — were held over until the next executive business meeting, which is scheduled for this Thursday. 

Two other data security bills are also on the agenda for the upcoming Thursday meeting:  S. 1408, introduced by Sen. Dianne Feinstein (D-CA), and S. 1535, introduced by Sen. Richard Blumenthal (D-CT).