Today the Senate Judiciary Committee approved two federal data security bills, Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, and Senator Feinstein's S. 139, the Data Breach Notification Act. Of course, there have been dozens of proposed federal breach notification bills over the past several years, from both sides of the aisle. Senator Leahy's office issued this statement earlier today. While we cannot predict the fate of S. 1490 and S. 139, and we will have future occasion to comment on the bills in more detail, Tanya and I wanted to highlight a few notable provisions now.
S. 139 appears to greatly expand the categories of personal information that would result in a notice obligation in the event of a breach. Under the bill, “sensitive personally identifiable information” includes first name and last name in conjunction with any 2 of the following pieces of information: Home address or telephone number; Mother's maiden name; or Month, day, and year of birth. This definition would significantly alter a company's notice obligations under the current state regulatory scheme (most state follow California's model, requiring notice only for breaches involving name in conjunction with Social Security number, driver's license number, financial account number, and in some cases medical information). Under S. 139, a company that suffers a breach exposing only first and last name, address (or phone number) and date of birth would have notice obligations (subject to the risk of harm threshold incorporated into the bill, discussed below), including a requirement to notify the DOJ, resulting in further scrutiny. Moreover, this bill allows for fines up to $1,000 per day per impacted person (up to $1 million). | 
