On January 12, 2015, U.S. President Barak Obama proposed the Personal Data Notification & Protection Act (“the Bill”), which would create a federal standard for data breach notification. The Bill comes at a time when both the public and private sectors have been under increasing cyber attacks, and is part of a wider effort by the U.S. administration in the cybersecurity area.
A brief analysis of the Bill’s key provisions is as follows:
- The basic obligation -
The Bill would require businesses to notify individuals whose sensitive personally identifiable information (“SPII”) has been or is reasonably believed to have been acquired or accessed without authorization unless there is no reasonable risk of harm or fraud to the individual. The Bill also authorizes the Federal Trade Commission (“FTC”) to amend the definition of SPII to ensure the law remains relevant as technology evolves.
The Bill details when a security breach gives rise to an obligation to notify affected individuals. The Bill broadly defines “security breach” to include instances in which there is a reasonable basis to conclude that an unauthorized acquisition of or access to SPII occurred.
- Small businesses -
Considering the possible burden that notification can place on small businesses, the Bill only requires those “businesses that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information about more than 10,000 individuals in any 12-month period” to notify individuals of a security breach that may affect their SPII.
- Vendors -
The Bill also takes into consideration businesses that give vendors access to their SPII. The Bill relieves vendors - and other business entities that do not own or license personally identifiable information - of any obligation to notify individuals of a breach of that information unless there is a contractual agreement to the contrary. Instead, vendors must notify the owners or licensees of SPII in the event of a security breach, and those owners and licensees in turn must provide any required notification.
- Timing, method and content of notification -
Under the Bill, businesses must make required notifications “without unreasonable delay,” which shall not exceed 30 days, unless the entity demonstrates to the FTC that additional time is necessary, or the government delays notification for the purposes of law enforcement or national security. Individual notice may be provided by mail, telephone, or e-mail (if the individual has consented to receive notice by e-mail).
In addition, a business must provide notice to the media when the number of affected individuals in any one state exceeds 5,000.
The content of a notice must include a description of the categories of SPII acquired or accessed, a toll-free number that an individual can call to find out what types of SPII a company maintains about him or her, and contact information for the major credit reporting agencies and the FTC.
- Risk assessment -
Generally, as mentioned, an individual notification is required when a security breach occurs. However, a risk-based exemption narrows this obligation where “there is no reasonable risk of harm or fraud” to the individual whose SPII was acquired or accessed. According to the Bill, there is a narrow window for a business to conduct a risk assessment after it learns of a security breach, and within 30 days after discovering a security breach, the business must notify the FTC of the results of the risk assessment and the business’s decision to invoke the risk assessment exemption.
The risk assessment must be conducted “in a reasonable manner or according to standards generally accepted by experts in the field of information security.” The assessment must also include, to the extent available, at least 6 months of data that logs every “communication or attempted communication with a database or data system containing sensitive personally identifiable information.” The logs must contain “all log-in information associated with databases or data systems containing sensitive personally identifiable information, including both administrator and user log-in information.”
- Notifying the Government -
In addition to ensuring that individuals receive timely notice of security breaches, the Bill also obligates businesses to report security breaches to the federal government when certain criteria are met. The Secretary of Homeland Security is directed to designate the entity that will receive this information and disseminate it to the U.S. Secret Service, the FBI, and the FTC. Such Government notice may be required even if a risk assessment determines that no individual notification is required. The Bill sets the criteria that trigger the government reporting obligation, which arises when the SPII of more than 5,000 individuals is accessed; the breach involves a database containing such information about more than 500,000 individuals; or the breach involves federal government databases or the SPII of individuals known to the business to be federal employees or contractors involved in national security or law enforcement. The FTC is authorized to promulgate regulations to amend the thresholds for when the government notice must be provided. The timeline for notifying the government is at least 72 hours before the individual notice, or 10 days after discovery of the security breach - whichever comes first.
- Enforcement -
At the federal level, compliance with the Bill is enforced by the FTC under the Federal Trade Commission Act. Any violation of the Bill is defined to be an unfair or deceptive trade practice that is subject to the jurisdiction of the FTC, even if the business entity does not meet the other jurisdictional requirements under the FTC Act.
In addition to enforcement by the FTC, state attorneys general are empowered to bring civil actions seeking injunctive relief or civil penalties of up to $1,000 per day for each individual whose SPII was compromised - up to $1 million per violation. Under the Bill, there is no cap on the civil penalties that state attorneys general can recover when the business entity is found to have acted willfully or intentionally.