On March 25, 2015, the United States House of Representatives Energy & Commerce Committee approved a bipartisan draft of the Data Security and Breach Notification Act of 2015 (the “Act”). As background for considering the Act, a memorandum from the Committee Majority Staff stated that “[c]urrently, there are 47 different State laws dealing with data breach notification and twelve State laws governing commercial data security. This patchwork of State laws creates confusion for consumers looking for consistency and predictability in breach notices as well as complex compliance issues for businesses as they secure their systems after a breach.”
The Act – which is not yet law – would provide national standards regarding data security, data breach notification, the enforcement of national security standards, and maintenance of and interaction with existing consumer protections. As set forth in the Committee’s overview of the Act:
- The Act would “set a national standard for covered entities to implement and maintain reasonable security measures and practices to protect and secure personal information.”
- The Act would require “covered entities to conduct a good faith investigation after discovering a breach of security to determine if there is a reasonable risk of identity theft, economic loss or harm, or financial fraud.”
- The Act would require notification to “be provided to consumers as expeditiously as possible and not later than 30 days after the covered entity has taken the necessary measures to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”
- The Act would define “personal information to include personal information tied to ID theft and/or payment fraud, such as: SS#; financial account credentials; other account credentials, including biometric, for accounts that allow consumers to obtain money or make purchases; name coupled with drivers license or other government-issued unique identification number; amongst others.”
- The Act would replace the patchwork of state and territory laws.
- Under the Act, “[a] violation of the Act is an unfair and deceptive act or practice under the FTC Act and violations may be enforced by the FTC or state attorneys general.” Under the Act, “[b]oth the FTC and state attorneys general have the power to obtain civil penalties for violations of the data security and breach notification requirements.”
- Under the Act, there is no private right of action.
If the Act does become a law, it could dramatically alter businesses’ exposure to liability in the wake of a data breach. For example, in response to several recent data breaches, individuals initiated class action lawsuits against public companies. By abolishing any private right of action, and preempting similar state and territory laws, the Act may prevent such class action lawsuits in the future. Florida businesses would be well served to understand how existing and proposed laws regarding data breaches and data privacy will impact them.