On April 17, advocates in support of a federal data security and breach notification law achieved a victory when the House Energy and Commerce Committee passed a bill supporting national legislation. The proposed Data Security and Notification Act of 2015 (the “Act”) seeks to codify uniform regulations governing consumer personal information throughout the United States. The Act would preempt existing inconsistent state laws and provide a single standard for compliance.
The bill narrows the definition of personal information, establishes breach notification timeframes, and limits enforcement authority almost exclusively to the FTC. Importantly, under the proposed law, a notice of breach must be provided to consumers within 30 days. In contrast, existing state laws vary widely regarding notification time requirements (e.g., 10, 30, 45 days). Also, the bill reduces the scope of incidents that require action to breaches involving potential “financial harm.” This financial harm prerequisite significantly narrows the basis for required notification in 33 states and the District of Columbia. The new language seeks to reduce the exposure to noncompliance that often compels organizations to either adhere to a “highest standard” practice or risk costly violations.
Critics of the bill oppose the expanded enforcement authority of the FTC as restrictive of state attorneys general actions. However, the most vocal critics of the current language denounce the elimination of consumers’ private rights of action that currently exist in 10 states.