The Personal Data Notification & Protection Act, (the Act) one of many security- and privacy-related legislative measures proposed by U.S. President Barack Obama last month, is intended to provide uniformity in the measures required of companies in the event of a security breach related to sensitive personally identifiable information. In addition to delineating the required procedures in the event of a breach, the proposed Act also aims to provide consistent standards for what constitutes a “security breach” and “sensitive personally identifiable information” at the federal level to supersede the numerous iterations of these concepts scattered throughout applicable state laws.
The definition of “security breach” provided under the proposed Act includes any “compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in” unauthorized acquisition of or access to (including access for an unauthorized purpose or in excess of an authorized purpose) sensitive personally identifiable information. This definition also explicitly excludes authorized activities of federal or state law enforcement agencies or federal intelligence agencies. The proposed Act also provides a broad definition of “sensitive personally identifiable information” that includes data such as Social Security, driver’s license, or passport numbers; unique biometric data (e.g., fingerprints or retina images); and unique account identifiers, even when such data is not associated with an individual’s name. In addition, the proposed Act allows the Federal Trade Commission (FTC) to promulgate rules that modify the definition of sensitive personally identifiable information to achieve the proposed Act’s purpose.
The mandatory procedures under the proposed Act, which would preempt currently applicable state laws, apply to any business entity “that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.” The procedures require a business entity to notify any individual whose sensitive personally identifiable information was, or is reasonably believed to be, subject to the security breach within 30 days of the breach’s discovery unless there is “no reasonable risk of harm or fraud” to the individual. The proposed Act provides for certain limited exceptions to this notice requirement and allows for a possible extended notice period through either a business entity petitioning the FTC or a federal law enforcement agency’s determination (e.g., for reasons of national security or criminal investigations).
The proposed Act also contains provisions that address the form and content of the required notices to individuals and the situations in which corresponding notices must be sent to consumer reporting agencies and law enforcement and national security agencies. Of note, these corresponding notice situations each include a security breach that involves more than 5,000 individuals.