In the aftermath of security breaches at Johns Hopkins University and the Department of Veterans Affairs, business leaders embraced a proposed state law that would require prompt reporting of security breaches.
The bill introduced by Del. Carolyn Howard, D-Prince George?s, would require businesses that collect and store personal consumer information, including names and Social Security numbers, to notify consumers within five days when that personal information has been stolen or is at risk of being misused. The bill would apply to businesses that gross at least $1 million annually.
Last month, the personal information of thousands of patients and employees of Johns Hopkins University was lost during a routine backup procedure. A courier allegedly misplaced the computer tapes, and the hospital said the tapes were later burned. Last June, the Department of Veteran Affairs reported that a laptop containing millions of Social Security numbers of military personnel was stolen from Aspen Hill in Montgomery County. The laptop was later recovered, and the Pentagon maintains there was no misuse of the information.
Howard?s bill was one of three that had a public hearing Wednesday before the House Economic Matters Committee. Of the three bills, Howard?s had the most support from the business industry.
“We would rather see a federal solution to this, but that doesn?t seem to be on the horizon,” said Chris DiPietro, a lobbyist representing corporate interests. “Breach notifications are happening now without the state law because businesses are stepping up.”
Bob Enten, a representative for the Maryland Bankers Association, asked committee members to consider exempting banks from the state reporting laws because most financial institutions are already required by federal law to report security breaches.
Other representatives from Lexis-Nexis and Johns Hopkins University requested lawmakers extend the reporting deadline, saying five days was too short a time to investigate potential data theft and notify all the affected consumers.
But Ellen Valentino, state director of the National Federation of Independent Businesses, urged lawmakers to reconsider penalties for noncompliance ? currently $1,000 for the first violation and $5,000 for repeat violations.
