In the wake of the recent retail data breaches, at least two new federal breach notification bills have been introduced into Congress. However, such measures are not new. Over the last five years, countless federal bills have been introduced (and have quickly died) in an effort to reduce the 46 different state breach notification laws down to one. Opponents of the federal bills, however, argue that any federal breach notification requirement would just require an organization suffering a breach to have to also comply with 47 breach laws, given the gaps in the laws. Here’s a summary of the two recently proposed bills:
Personal Data Privacy and Security Act
Senator Tom Leahy (D-VT) recently reintroduced the “Personal Data Privacy and Security Act”, which he first authored and sponsored in 2005 and has reintroduced in each of the last four Congresses. The bill has been referred to the Senate Judiciary Committee for consideration. The bill would establish a national standard for data breach notification and require U.S. businesses that collect and store consumers’ confidential personal information to safeguard that information from cyber threats.
The bill includes a proposed criminal statute that would make it a crime for anyone with “knowledge of a security breach and of the fact that notice of such security breach is required” under the Act to “intentionally and willfully” conceal the security breach. A violation of the statute would be punishable by a fine, up to five years imprisonment, or both.
When compared to most state breach notification laws, Senator Leahy’s proposed Federal data breach notification law would require notification to more individuals, since the definition of “personal information” is broader. Under the proposed law, notification would be required when an individual’s name, in addition to their home address, telephone number, mother’s maiden name, or full date of birth is acquired. In addition, acquisition and access to an individual’s social security number, driver’s license number or passport number, biometric data (finger print), financial account information or username would trigger a breach notification obligation. Violators are subject to a civil penalty of up to $11,000 per day, per security breach. There is a maximum penalty cap of $1 million per security breach.
The proposed security breach notification law, however, includes a “safe harbor” provision that allows companies to conduct a risk assessment to determine whether there is a “significant risk” that the breach will result in identity theft or economic or physical harm to an individual. If an organization determines there is no significant risk of harm, they can report that risk assessment to the Federal Trade Commission (FTC), which may provide a notification exemption.
The bill also includes a requirement -- companies that maintain personal data establish and implement internal policies to protect data privacy and security.
Data Security Act of 2014
Senators Tom Carper (D-DE) and Roy Blunt (R-MO) have introduced bipartisan legislation in the Senate to narrow the 46 state breach notification laws down to one. The Data Security Act of 2014 has been referred to the Committee on Banking, Housing, and Urban Affairs.
Modeled after the Gramm-Leach-Bliley Act of 1999, the Data Security Act of 2014 would require entities, such as financial institutions, retailers, and federal agencies to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to businesses that take credit or debit card information, data brokers that compile private information, and government agencies that possess nonpublic personal information.
According to the initial filings, this bill seeks to “prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.” One major criticism from some, however, is that this bill prevents consumers from filing private or class actions against the breached organization.
Under the proposed law, if the financial establishment, retailer, federal agency, or other entity determines that sensitive information was compromised (or may have been compromised), the Data Security Act of 2014 requires the entity to investigate the scope of the breach, the type of information compromised or potentially compromised, and determine whether the information will likely be used to cause an individual harm or bank fraud. If it is determined that the information was compromised and will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, and national consumer reporting agencies where the breach affects over 5,000 consumers, and all consumers affected by the breach.
Complexity and confusion continue
While data privacy is at the top of most organizations’ concerns, only a few legislators are taking the issue seriously. Most of the “new” bills being introduced are reiterations of old ones that have failed. Plus, there is the battle between federal and state enforcement power and the varying triggering thresholds between the state breach laws to determine when an incident becomes a notifiable “breach”. There is then the problem of too many congressional committees claiming jurisdiction over this type of federal law. How can we ever pass an overarching federal breach notification law when we can’t even figure out where the debate to do so should take place?
For now, the 46 state breach notification statutes (in addition to any applicable federal and industry-specific regulations) govern an organization’s notification requirements at the time of a data breach. When a breach occurs, the impacted organization must comply with the state statute applicable to the state of residence of each affected individual. Thus, a one-size-fits-all notification letter cannot be used as it would violate several of the state statutes. In addition, several states have extra notice requirements (such as providing notice to a state attorney general, state police, office of consumer affairs, etc.). Moreover, applicable federal and industry-specific laws add their own layers of nuanced requirements. Proactive planning is critical as is engaging appropriate and experienced legal counsel to handle a data breach or any privacy counseling.
For more information, please contact one of the attorneys listed below.