Nearly every state has laws addressing data security.  Many such laws, including Michigan's Identity Theft Protection Act, require businesses to notify consumers in the event of a breach of their data.  The specific notification requirements imposed by the various state laws are often inconsistent.  Some state laws also set standards that businesses must follow in securing consumer data.

In the past, several unsuccessful bills have been introduced to establish a comprehensive federal data security law applicable to all organizations and industries.  On December 8, 2009, the House of Representatives passed the Data Accountability and Trust Act (H.R. 2221).  If eventually enacted into law, the bill would require organizations to establish and implement policies and procedures regarding information security practices.

The law would not mandate any specific policies or procedures but would take into account various factors, including the size and scope of the activities, the current state of the art in administrative, technical and physical safeguards for protecting information and the cost of implementing the safeguards.

The bill also includes data breach notification requirements that would trump the various state law requirements.  Penalties for non-compliance could reach a maximum of $5 million.  It remains to be seen if this bill will make it through the Senate and become law, however, this bill is the first and most decisive step toward establishing national data security standards.  To review H.R. 2221, visit this link, or click here for the PDF version.

For more information about legislation or litigation involving technology, intellectual property protection of information technology assets or any other Information Technology law issue, contact your Miller Canfield attorney or Kathy Ossian, Leader of our Information Technology Team, or call her direct at 313.496.7644.