On Thursday, March 12, 2015, House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade Chairman Michael Burgess (R-TX), along with Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT), released draft text of new data security and breach notification legislation. The bill, titled “Data Security and Breach Notification Act of 2015,” would create a federal uniform data security and breach notification standard.
The bill is very similar to other breach notification bills introduced in recent weeks, in that it would require covered entities to implement systems to secure private data and would require notice to affected individuals in the event of a breach. However, the security requirements are more broad in nature; indeed, the bill requires covered entities to only “implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access as appropriate for the size and complexity of such covered entity and the nature and scope of its activities.” A summary released by the subcommittee states, “The requirement is a technology and process neutral standard to protect consumers while being flexible enough to allow for innovation and new technologies.”
Covered entities are defined as “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other entity in or affecting commerce that acquires, maintains, stores, sells, or otherwise uses data in electronic form that includes personal information, over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act.” The definition exempts entities covered by the Health Insurance Portability and Accountability Act, (HIPAA) as well as those governed by the Gramm-Leach-Bliley Act.
Under the bill, covered entities would be required to give notice of a breach to consumers no later than 30 days after discovery of a breach, unless there is no risk of identity theft or economic harm due to protective measures, such as encryption of data. If the breach affects more than 10,000 people, the affected entity must also notify the Federal Trade Commission (FTC), FBI and Secret Service, as well as the consumer credit reporting agencies. Affected entities may provide notice either through written mail or email.
As with other proposals, enforcement power would be given to the FTC, while state attorneys general would also have the power to bring civil actions in U.S. district court. The bill would preempt all state laws governing data security and breach notification.