CBO Scores Data Breach Notification Act

The Data Breach Notification Act (S. 1408) would require most federal agencies and business entities that collect, transmit, store, or use sensitive personal information to notify any individuals whose information has been unlawfully accessed through a breach in security systems designed to protect such information from unauthorized access.

The legislation defines sensitive personal information as combinations of an individual’s name, address or phone number, and Social Security number, driver’s license number, financial account information, or biometric data (that is, finger print, voice print, or retina scan). Under certain circumstances, entities could apply to the federal government for exemptions from those notification requirements. In addition, the affected entities would be required to notify the Department of Homeland Security (DHS) and the Federal Trade Commission (FTC) of a security breach. Finally, S. 1408 would impose civil penalties on entities that fail to provide notice to affected individuals.

CBO estimates that, assuming appropriation of the necessary amounts, implementing the bill would cost about $15 million over the 2012-2016 period. Enacting the bill also could affect direct spending and revenues; therefore, pay-as-you-go procedures apply. However, any such effects would not be significant.

S. 1408 contains intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates the costs to comply with those mandates would not exceed the thresholds in that act ($71 million and $142 million, respectively, in 2011, adjusted annually for inflation).