A bill introduced in the US Senate would force businesses to conduct mandatory risk assessments or face hefty fines.
The bill (pdf) sought to quell the rising incidence of data breaches by requiring businesses follow guidelines for the safe storage of data
Violators would face fines exceeding US$5000 per infraction each day, and up to US$20 million for each violation.
Additionally, consumers affected by violations of the law would be able to file civil actions against the firm in question.
The 100-page measure called the Personal Data Protection and Breach Accountability Act of 2011, would require businesses with data of more than 10,000 customers to implement privacy and security programs to ensure the information is protected.
As part of the programs, businesses would be required to conduct risk assessments and regularly conduct vulnerability tests on key controls and systems.
“My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur, and by holding entities accountable when consumers' personally-identifiable information is compromised,” said US Senator Richard Blumenthal, who introduced the bill.
The bill would force businesses to notify customers “without reasonable delay” when their data has been breached and offer victims two years of free credit monitoring services.
The bill is just one of several introduced this year in US Congress that tackled with privacy issues.
“It's apparent that Congress is increasingly concerned about privacy issues,” said International Association of Privacy Professionals chief executive Trevor Hughes.
While privacy bills typically aimed to give consumers options about data use, Blumenthal's bill centred on accountability, he said.
“That development might be well received by many in the privacy community,” Hughes said.
A law that “harmonised” the patchwork of existing state privacy and data security requirements would likely be helpful to businesses and widely supported, according Andy Serwin, chair of the privacy practice at US law firm Foley and Lardner.
“If we are going to have comprehensive legislation at the federal level, careful thought would need to be given on how that integrates with what states have already done,” Serwin said.
The bill was referred to the Senate Judiciary Committee for review.