The FTC's testimony this week called for additions to the bill:
- The provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form
- The proposed requirements should be extended so that they apply to telephone companies
- The bill should grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted
The bill extends civil action power to state attorneys general, much like HITECH does. It includes a maximum of $11,000 per day for each day an entity is found not to be in compliance and caps a single violation at:
- $5 million for each violation of the security and compliance requirements
- $5 million for all violations of the breach notification requirements
Read more about the bill's security and compliance requirements.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.