By Caleb Skeath
Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives. The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as well as provisions requiring notification to affected individuals in the event of a data breach. Meanwhile, Sens. Dianne Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR), and Bill Nelson (D-FL) introduced a similar bill, the Data Security and Breach Notification Act (S. 177) this week the Senate. The Senate bill is also a re-introduction of a previous bill, which would provide FTC-enforced security standards and individual breach notifications.
Although the text of the DATA Act has not yet been released, a release from the bill’s sponsors stated that the bill will be “substantially similar” to prior versions. According to the release, the bill will define “personal information” to include an individual’s name in connection with (1) a Social Security number, (2) a driver’s license, passport, or other government-issued identification number, or (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account. Commercial entities that own or process personal information would be required to implement effective information security procedures and policies to safeguard that information. Following a breach, entities would have to notify the affected individuals, in addition to the FTC. The FTC and state attorney generals would enforce the provisions of the bill, which would allow for civil penalties of up to $5 million for violations. The bill’s sponsors have announced a public briefing on the bill on February 6, during which they will provide more information about the bill’s provisions.
The Senate bill includes similar provisions on individual notification and security requirements for entities handling personal information, as well as FTC enforcement of its requirements. Some of the major provisions of the bill are highlighted below.
- Definition of Personal Information: The bill’s definition of “personal information,” which closely mirrors the definition in the White House’s proposal, includes (1) a non-truncated Social Security number; (2) a financial account, credit, or debit card number in combination with a security code, access code, or password; or (3) an individual’s first and last name in combination with (a) a government-issued identification number, (b) unique biometric data, (c) a unique account identifier, electronic identification number, user name, or routing code in combination with an access code or password required to obtain “any . . . thing of value,” or (d) any two of the following types of information-a home address or telephone number, a mother’s maiden name (if identified as such), or month, day, and year of birth. The FTC would have the authority to modify this definition by rulemaking.
- Security Requirements: The bill would require the FTC, within one year of the bill’s passage, to promulgate regulations on policies and procedures for handling personal information. These policies and procedures must include, among other items, a security policy for the collection, use, and dissemination of personal information.
- Notification Trigger and Timing: Following a breach, defined as the compromise of electronic data that results in unauthorized access or acquisition of personal information from an entity, the affected entity would have to notify all affected U.S. citizens and the FTC. As with the White House proposal, notifications must be made within 30 days, but the bill would waive the requirement if providing notice within 30 days is “not feasible” due to measures needed to “accurately identify affected customers,” “prevent further breach or unauthorized disclosures,” or “reasonably restore the integrity of the data system.” Entities can also obtain extensions if the FBI or the U.S. Secret Service determines that an extension is required for national security or criminal investigation reasons.
- Notification Method and Contents: Notifications to individuals would be provided in writing or, under certain conditions, via email. Substitute notification methods would be permitted in specific circumstances, and the FTC would issue rulemaking and guidance regarding notification methods. The bill includes specific content requirements for notifications and grants affected consumers the right to request free quarterly credit reports at the entity’s expense for 2 years after most breaches.
- Law Enforcement/Credit Agency Notifications: Entities would be required to provide notice to a federal recipient, to be designated by the Secretary of Homeland Security, if (1) the breach discloses the personal information of more than 10,000 consumers, (2) the breach involves a database with personal information of more than 1 million consumers, (3) the breach involves a database owned by the federal government, or (4) the breach primarily involves the personal information of individuals known to be federal employees involved in national security or law enforcement. This notification must be provided within 10 days after the discovery of the breach and at least 3 days prior to providing notice to individuals. If more than 5,000 consumers are affected, the entity must also notify credit agencies.
- Exemptions: The bill would exempt entities that are required to comply with GLBA or HIPPA, as well as if the FBI or the U.S. Secret Service determines that notification should not be made for criminal investigative or national security reasons. In addition, an entity does not need to notify individuals if it concludes that there is no reasonable risk of “identity theft, fraud, or other unlawful conduct.” The entity can rely on a presumption that no such risk exists if the data is rendered unusable through encryption or similar security measures. The FTC and NIST will issue rules and guidance on what types of technology are appropriate to form the grounds for such a presumption.
- Enforcement: The individual notification requirements, as well as the requirements to maintain adequate security protections, would apply to any entity within the FTC’s jurisdiction, as well as non-profit organizations. Violation of these provisions would be an unfair or deceptive trade practice, with joint enforcement by the FTC and state attorney generals. The bill provides for civil penalties up to $11,000 for each violation, with each failure to notify an individual counting as a single violation. The bill, however, does include a cap of $5 million for all penalties from each security breach incident or information security violation. The Attorney General would enforce violations of the law enforcement notification requirement, with a maximum civil penalty of $1 million unless the violation is willful or intentional. Finally, the bill would criminalize the willful concealment of a security breach, which would be punishable by a $1,000 fine and up to 5 years in prison.
- Preemption: The bill would preempt state data breach notification laws, as well as any comparable information security requirements under state law. However, state attorney generals could still enforce general state consumer protection statutes.
These bills come shortly after a House hearing last week on the elements of a potential data breach notification bill. During the hearing, members of the House Subcommittee on Commerce, Manufacturing, and Trade discussed the extent to which a bill should preempt existing state data breach notification laws. Rep. Michael Burgess (R-TX), the Subcommittee Chairman, noted the need for a “single–but flexible–data security requirement” to provide relief for businesses that spend “too many resources” complying with different state laws. However, Rep. Jan Schakowsky (D-IL), the ranking member of the subcommittee, expressed concern that preemption could “eliminate” existing state law protections “that consumers expect and deserve.” Rep. Schakowsky also questioned whether the triggering language for notification of individuals should be linked to financial harm, noting that leaked employment records and health information can cause non-financial harm as well.