Shortly before issuing his State of the Union address, President Obama released a proposed federal law mandating notification to individuals whose personal information is compromised in certain data breaches. Not long ago, I wouldn’t have written about this issue in a Manufacturer’s Corner column, but since I recently decided that the Internet of Things will expose manufacturers to litigation over data privacy, it seems appropriate.
For the manufacturers out there who may have missed it, I have written about the possibility of federal data breach notification legislation before. In the linked piece, I set out a wish list of what a federal data breach notification law would include and not include. Here’s a link to the President’s proposal. Let’s see how he did.
Ryan’s Wish List, Item 1: Federal Preemption – Granted.
Currently, the obligation to notify affected individuals of a data breach is governed by a patchwork of state laws. That’s a real pain, and it injects needless complexity into responding to a complex problem. The proposed federal law would mostly preempt state law, except that states may mandate that the notice provided include information regarding victim protection assistance provided by the state.
Ryan’s Wish List, Item 2: Clear Definition of Data Breach – Granted in part, denied in part.
The proposed law does a great job of defining a “security breach.” But, it doesn’t do a very good job of describing what is one security breach versus multiple security breaches. For instance, say a single attacker opens a backdoor to access sensitive personally identifiable information, and accesses it several times over several months. Is that one breach, or multiple breaches? If it is several breaches, must notice be given for each breach? Is it to be presumed that all the breaches were discovered at once? Some of these issues may be cleared up in subsequent rulemaking efforts, which are permitted under the proposed law.
Ryan’s Wish List, Item 3: Clear Notification Standards – Granted in part, denied in part.
The content required in the notices and the manner of delivery are quite clear, as is the timing standard in most instances (thirty days following knowledge of the breach). But, there is a safe-harbor provision that exempts a business from giving notice if a risk assessment reveals no reasonable risk that a breach has resulted or will result in harm to the individuals whose information is compromised. I think that’s a good idea in theory, but the proposed law is unclear on how it works in practice. What if reasonable minds could differ on the results of the risk assessment, but the Federal Trade Commission concludes there is a reasonable risk? What then? Safe harbors are not very safe when they rest on unclear standards, and this is an unclear standard.
Ryan’s Wish List, Item 4: Clear Treatment of Encryption – Granted.
In some state data breach notification laws, there was separate treatment for encrypted information, but the laws failed to specify when the information had to be encrypted for the separate treatment to apply – before or after the breach. The President’s proposal largely circumvents that issue by providing a presumption that there is no reasonable risk of harm to the individuals whose information is compromised if “the data at issue was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field of information security[.]” In other words, it looks like the President’s answer is “encrypted before the breach, but if we have specific reason to believe the encryption failed, the ‘no reasonable risk’ presumption can be rebutted.” Good idea in theory; in practice, it invites dueling security experts.
Ryan’s Wish List, Item 5: Penalties Scaled to Number of Individuals Affected – Unclear.
The proposed law submits violations to penalties under the Federal Trade Commission Act. It remains to be seen precisely how penalties will be levied. Expect rulemaking.
All things considered, the President did a fine job of granting my wishes. If the law is enacted, however, manufacturers will need to keep a close eye on the rulemaking process to ensure the FTC doesn’t turn this law into something it’s not.