President Obama’s new proposed Personal Data Notification and Protection Act provides a national standard for companies responding to security breaches.

In his State of the Union Address on January 20, U.S. President Barack Obama featured his proposed Personal Data Notification and Protection Act—federal legislation that would replace the existing patchwork of state data breach notification laws with a unified national standard for companies responding to data security breaches. The president’s proposal comes at a particularly relevant time in light of recent cybersecurity attacks and large-scale data breaches affecting retailers, banks, and other national companies.

Background

Currently, 46 states and the District of Columbia have laws that address data breaches involving personal information. Although these laws generally require companies to notify consumers of breaches that result in an unauthorized acquisition of personal information, each state law contains varying requirements with respect to reporting breaches to state agencies and consumer reporting agencies. The proposed Personal Data Notification and Protection Act, which is still subject to refinement and debate in Congress, would create a single national standard for companies responding to data breaches. The proposal focuses on core notification issues, like when and how to provide notice, who is covered, and exceptions that may apply. It provides for enforcement by the Federal Trade Commission (FTC) and state attorneys general.

Notification Requirements

The president’s legislative proposal applies to any business entity that uses, accesses, transmits, stores, disposes of, or collects sensitive, personally identifiable information about more than 10,000 individuals during any 12-month period. In the event of a security breach, these entities must notify any individual whose sensitive, personally identifiable information has been, or is reasonably believed to have been, accessed or acquired by hackers or other unauthorized outside entities, unless there is no reasonable risk of harm or fraud to such individual. Specifically, business entities must notify their employees and customers of a security breach within 30 days. The proposed legislation provides for the possibility of an extension of up to 30 additional days if business entities demonstrate to the FTC that additional time is necessary to determine the scope of the security breach, prevent further disclosures, conduct risk assessments, and restore the reasonable integrity of their data systems.

Business entities may notify affected individuals in writing to the last known home mailing address, by phone, or by email, if the individual has consented to receive such notice and the notice is consistent with the provisions of the Electronic Signatures in Global and National Commerce Act. Under the proposed legislation, a business entity must also provide notice to a major media outlet that serves the relevant state or jurisdiction if the number of residents of a state whose sensitive, personally identifiable information was compromised exceeds 5,000 individuals.

The notification must include the following:

  • A description of the categories of sensitive, personally identifiable information that was or is reasonably believed to have been, accessed, or acquired by an unauthorized person
  • A toll-free number that the individual may use to contact the business entity and from which the individual may learn what types of sensitive, personally identifiable information the business entity maintained about that individual
  • The toll-free numbers and addresses for the major credit reporting agencies and the FTC

If a business must notify more than 5,000 individuals, it must also notify all national consumer reporting agencies of the notices’ timing and distribution prior to distribution (provided that such notice will not delay the notice to the individuals). A business must also notify an entity designated by the Secretary of Homeland Security if the data breach affects more than 5,000 individuals, involves a database that contains protected information of more than 500,000 individuals nationwide, involves databases owned by the federal government, or involves primarily protected information of individuals the business knows to be employees or contractors of the federal government involved in national security or law enforcement. Notice to the federal government must occur 72 hours prior to notifying affected individuals or 10 days after discovering the incident, whichever is first.

What Constitutes “Sensitive, Personally Identifiable Information”

Notably, the proposed legislation’s definition of what constitutes “sensitive, personally identifiable information” is more expansive than corresponding definitions of personal information in existing state data breach laws. Specifically, in the president’s proposal, a business entity’s duty to notify individuals of a security breach is triggered when the compromised information includes certain sensitive information, even when it is not combined with an individual’s name. Typically, under existing state laws, if the compromised data includes sensitive information (e.g., a Social Security number) but not an individual’s name, there is no obligation to disclose the data breach.

Specifically, “sensitive, personally identifiable information” is defined to include the following:

  • An individual’s first and last name or first initial and last name in combination with any two of the following data elements:
    • Home address or telephone number
    • Mother’s maiden name
    • Month, day, and year of birth
  • A nontruncated Social Security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number
  • Unique biometric data, such as a fingerprint, voice print, retina or iris image, or any other unique physical representation
  • A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, username, or routing code
  • A username or email address in combination with a password or security question and answer that would permit access to an online account
  • Any combination of the following data elements:
    • An individual’s first and last name or first initial and last name
    • A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, username, or routing code
    • Any security code, access code, or password, or any source code that could be used to generate such codes or passwords

This expansive definition of sensitive personally identifiable information may impact not only the frequency of security breaches that trigger a duty to notify, but also what information businesses choose to maintain and how they elect to protect that information.

Exemptions from Notice Obligation

The proposed legislation also provides for certain “safe harbors” that exempt business entities from the notice requirements. Specifically, a company can be exempt from the notice requirements if it (a) concludes that, based on a risk assessment, there is no reasonable risk that a security breach has resulted in, or will result in, harm to the individuals; and (b) notifies the FTC of the risk assessment’s results and its decision to invoke the risk assessment exemption. In addition, under the financial fraud prevention exemption, a business can be exempt from the notice requirement when a breach involves a credit card number or credit card security code if it uses or participates in a security program that (a) effectively blocks the use of the sensitive, personally identifiable information to initiate unauthorized financial transactions before they are charged to the account; and (b) notifies affected individuals after a security breach has resulted in fraud or unauthorized transactions.

In addition, a business entity may be exempt from providing notice if an owner or licensee of the protected information, or other designated third party, provides such notification. A business that uses, accesses, transmits, stores, disposes of, or collects protected information that it does not own or license, however, must notify the owner or licensee of the information following the discovery of a security breach.

Role of State Attorneys General and Enforcement

Compliance with the provisions of the proposed Personal Data Notification and Protection Act will be enforced under the Federal Trade Commission Act (FTCA), and any violation of a requirement or prohibition will constitute an unfair or deceptive act or practice in violation of the FTCA.

Furthermore, although the act supersedes current state law requirements, state attorneys general may bring civil actions on behalf of the state’s residents to enjoin any prohibited practices, enforce compliance with the legislation, or impose civil penalties. The proposed legislation provides for the imposition of civil penalties up to $1,000 per day per individual whose information was compromised, for a maximum of $1 million per violation.