Senator Leahy has introduced the Personal Data Privacy and Security Act of 2011. I haven’t had time to read it yet, but just skimming it, I some good provisions in there, but I also see two immediate concerns:
1. It appears to apply only to electronic data (not paper records), and
2. The definition of “security breach” includes a clause “and which present a significant risk of harm or fraud to any individual.” So it’s not a security breach for purposes of this bill if there’s no significant risk of harm or fraud.
Haven’t yet gotten to how that risk is determined to be “significant.”
More on this one later this week….
One mention of data retention on this one. Why is there not more on the matter?