Sen. Richard Blumenthal's (D, Conn.) proposed "Personal Data Protection and Breach Accountability Act of 2011" comes as concern grows over keeping, using and protecting vast amounts of online personal data vulnerable to attack.
The measure would require businesses with private information of more than 10,000 customers to implement privacy and security programs for storing the information, and respond quickly to intrusions.
If passed into law, the Justice Department would be able to give away fines of $5,000 per violation daily, having a maximum of $20 million per infringement. In addition, businesses that ignore the new data protection law may need to pay for 2 yrs of credit monitoring, and may be susceptible to civil litigation.
"The goal from the proposed law is essentially to hold accountable the companies and entities that store private information and private data and to deter data breaches," Blumenthal said. "While looking at past data breaches, I have been struck with how many are preventable."
Blumenthal vocally criticized Sony's handling of an attack on its servers, which compromised data from 77 million customers. Soon after Sony disclosed the breach, the senator pressed Sony President Jack Tretton to explain the company's six-day delay before notifying customers.
When the new bill passes, customers will be able to sue companies that do not take adequate security precautions.
"The Sony data breach has become a poster child of why we need this law," Blumenthal said. "We were working on this legislation prior to that data breach occurred, but Sony is a great one of why this law should exist."
The legislation also boosts the criminal penalties for id theft and other crimes such as concealing a burglar breach involving sensitive personal data or installing a data collection program on someone's computer.