Both sides of the isle agree, data security and the protection of personally identifiable information (PII) is an important priority for businesses, and a series of laws are being passed to make sure that companies do just that. H.R. 2221, the “Data Accountability and Trust Act,” passed the House on December 8, and is the third bill in the last few months aimed at data and information protection that has been met with general bipartisan approval. The Senate’s Committee on Commerce, Science and Transportation is currently reviewing DATA. If the bill enjoys the same success as it’s predecessors, all companies that are involved in interstate commerce will soon be required to comply with new data security regulations.

What do the new regulations under DATA mean for companies?

1. All companies that store PII will be required to secure their information with auditable policies and procedures, including the adoption of a secure, defensible data destruction process for all non-electronic information. Though the bill doesn’t outline exactly what the policies and procedures must be, to meet these requirements companies will have to thoroughly understand the regulations and best practices for their industry in order to implement a strong system for securing their information.
2. If companies experience a security breach they will be required to notify the FTC, and they will be subject to an audit of the security measures and policies they have in place. Companies may also face future audits after the initial breach. To assure compliance, companies will have to be on top of where and what they are storing throughout the organization, at all times. Staying abreast of their information practices and locations will not only help them implement effective security practices, but will aid in breach detection and reporting and allow them to comply with the audit process as companies are required by this bill to have an auditable trail for all PII.
3. In addition to ensuring it’s accuracy and protection, companies will have to alert and give customers access to the PII information they are storing. They must also have in place a responsive system to help customers correct their data. This means a comprehensive view of all PII records will need to be in place to ensure information can be easily found and universally edited.

Though many states already have in place regulations surrounding data and breach notifications, the DATA act will preempt all of the state rules and gives companies a singular way to deal with PII security. Conversely, this could also mean that more stringent penalties and regulations could impact businesses. Comprehensive data mapping and strong policy regulation are essential to complying with this new legislation, and being prepared for the passage of the law will put companies ahead of the information security game.