Last week, President Obama proposed wide-reaching legislation to establish a uniform, nationwide standard for data breach notifications that envisions a significant enforcement role for the Consumer Financial Protection Bureau (CFPB). The proposal, titled the Personal Data Notification and Protection Act, can be found here. In terms of the types of covered data, the White House proposal significantly expands on prior breach notification bills. The proposal, however, includes certain exemptions from the individual notice requirements that apply to small businesses and to breaches that do not pose a reasonable risk of harm to the affected individuals. The proposal designates the Federal Trade Commission (FTC) as the primary enforcement agency with broad rulemaking authority, but requires the FTC to coordinate with the CFPB where the data breach relates to “financial information or information associated with the provision of financial products or services.” The proposal would also preempt state law data breach notice procedures.
The President’s bill broadly defines the categories of covered data and further groups them into data that is sensitive on its own, or sensitive in combination with other data elements. The result is a proposal that applies to a wider range of data breaches as compared to prior, similar bills. For example, in a departure from previous bills, the White House proposal requires businesses to comply with notice requirements where disclosure consists solely of driver’s license or passport numbers. Prior bills triggered notification only where the disclosure of driver’s license or passport numbers were accompanied by the individual’s name.
Other notable business requirements of the proposal include, but are not limited to, the following:
- 30-day notice to individuals
- Individual notice by mail, telephone or, under certain conditions, email
- Media notice where the breach affects more than 5,000 individuals in a single state
- Notice to the federal government under certain circumstances, including where the breach involves more than 5,000 individuals
- Notice to credit reporting agencies where the breach involves more than 5,000 individuals
Businesses that do not access, store, or use covered data for more than 10,000 individuals during a 12-month period are exempt from the individual notice requirements. Likewise, the businesses that conduct a “risk assessment” concluding that the data breach did not result in, and will not result in, harm to affected individuals, is also exempt from the individual notice requirements. To qualify for this safe harbor protection, within 30 days of discovery of the breach, the business must notify the FTC of the results of its “risk assessment” and its intent to invoke the safe harbor.