The following piece, written by the Hogan Lovells privacy team, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on March 31. The post, Data Security and Breach Notification Legislation Gaining Traction in Congress, is reprinted in its entirety below with permission from the IAPP.
For more than a year now, we have been hearing that the spate of highly-publicized data breaches could lead to federal data security and data breach legislation. On March 25, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade took action that brings us closer to seeing that prediction become a reality. In this post, we take a closer look at the bipartisan legislation approved by the subcommittee—the Data Security and Breach Notification Act of 2015 (DSBN) — and discuss five key provisions that are likely to be at issue as the legislation moves forward.
The Data Security and Breach Notification Act of 2015
The DSBN is intended to create a single national security and breach notification standard for most private sector organizations that handle personal information in electronic form, including telecommunications common carriers, nonprofits and companies ordinarily subject to the Federal Trade Commission’s (FTC) jurisdiction (collectively, “covered entities”). The bill requires covered entities to “implement and maintain reasonable” security measures to protect personal information and establishes breach notification obligations for covered entities that suffer a data security breach. The current version of the bill would require covered entities to notify affected individuals within 30 days of taking the steps necessary to investigate the breach and restore the “integrity, security and confidentiality” of affected systems. If a covered entity reasonably suspected that a breach affected more than 10,000 individuals, the covered entity would be required to notify the FTC, the Secret Service or the Federal Bureau of Investigation “as expeditiously as possible.”
These timing requirements are likely to be debated as the bill moves forward. Additionally, resolution of the following five issues likely will impact the bill’s prospects for enactment.
1. Preemption of State Laws to Create Consistent Security and Notification Standards
Similar to other data breach bills that Congress has debated in the past decade, the DSBN would preempt state data security and breach notification laws. Many organizations would welcome eliminating the patchwork of state laws that currently exists. Under current law, organizations that suffer a security breach must look to the notification requirements in 47 states and the District of Columbia to determine whether to notify individuals, law enforcement, state regulators, consumer reporting agencies or the media. This can be a complicated and often lengthy process. And state data security laws and regulations require organizations to assess their security measures against the expectations of multiple regulators. However, some members of Congress and some consumer groups oppose preempting state laws unless the federal standard provides the highest level of consumer protection and can be adapted via administrative regulations to address new threats. And members of Congress have debated whether federal legislation should preempt common law causes of action—such as breach of contract and negligence. The current version of the bill preempts state statutory and regulatory law. The DSBN’s sponsors are debating whether the bill should preempt common law claims.
2. Risk of Harm Trigger
The DSBN relieves covered entities of their notification obligations if a breach poses no reasonable risk of “identity theft, economic loss or economic harm, or financial fraud” to individuals whose personal information was accessed or acquired without authorization. Many members of Congress have raised concerns with the inclusion of a risk of harm trigger. They argue that such a trigger would unnecessarily erode consumer protections in those jurisdictions—including California, Texas and New York—that require notice to be issued in the event that personal information is compromised, regardless of whether the compromise creates a risk of harm. On the other side of the debate, some members of Congress argue that the lack of a risk of harm trigger leads to over notification, numbing consumers and making it less likely that they will take needed precautions in the event of a breach that poses true risk.
3. Expanded Definition of Personal Information
The definition of what constitutes personal information is a key element for determining whether a particular security incident is governed by breach notification laws. Some members of Congress believe that an expansive definition of personal information will lead to over notification. Other members maintain that an overly narrow definition could harm consumers by causing them not to receive notice about breaches that could lead to risk of identity theft or other financial harm. The DSBN’s definition of personal information is more expansive than the definitions found in many state laws. Most states define “personal information” as some combination of first name (or initial) and last name (or in some states another identifier), along with one or more data elements such as a Social Security number, driver’s license number or financial account number. The DSBN definition differs in three significant ways:
- First, the DSBN lists several specific data elements that would alone constitute personal information. For instance, personal information would include a financial account number and security code, or a non-truncated social security number even if that information were compromised without a person’s name.
- Second, the DSBN would define personal information to include biometrics, usernames, passwords and other information required to obtain money or purchase anything of value.
- Third, the DSBN defines personal information to include an individual’s first name or initial and last name along with any two of the following: home address, telephone number, mother’s maiden name and date of birth.
4. Special Notification Requirements
Covered entities that process or store personal information on behalf of other covered entities (described here as “data owners”) must promptly notify data owners of security breaches affecting their information. The DSBN would then provide these data owners the discretion, if certain conditions are met, to decide whether to provide notice to affected individuals. If the data owner does not elect to provide notice, the breached covered entity that processed or stored the data would generally be obligated to provide notice. Which entity is required to provide notification has become a hotly contested issue. Typically, state laws require that data owners provide notification when their data is breached, regardless of where the breach occurred. Some organizations have questioned whether it makes sense to require data owners to provide notice when the systems of another entity were breached. These organizations argue that requiring processors to provide notification would create greater incentives for processors to improve their security measures. Other organizations, however, argue that consumers may be confused if they receive data breach notifications from processors with which they have no direct relationship. For many stakeholders, resolving the issue of who has direct liability for providing notice will be a priority.
5. Enforcement Authority and Scope of Coverage
The DSBN authorizes the FTC to enforce the DSBN under the FTC Act and provides the FTC with the authority to issue uncapped civil penalties for violations of the act without having to first enter into a consent decree. Other data security and breach notification bills have included caps on the FTC’s pursuit of civil penalties. Senator Bill Nelson’s (D-FL) legislation (S.177), for instance, caps penalties at $5,000,000 for violations of notification obligations and $5,000,000 for a violation of a security standard.
The DSBN would establish security and notification requirements for most business entities and nonprofit companies (except for certain healthcare and financial sector entities). Telecommunication companies would be subject to the DSBN and the FTC’s enforcement. This is likely to be a major point of debate among lawmakers, telecommunication companies, the FTC and the Federal Communications Commission.
Momentum appears to be building for the enactment of federal data security and breach notification legislation. Both the President and key members of Congress have put these issues at the top of their agendas, and we are seeing a more widespread effort by policymakers to focus on specific legislative solutions rather than general oversight of breach incidents.
At the same time, though, there are lingering areas of dispute, such as those identified above. Disagreements over the scope of federal legislation and its preemptive effects have plagued prior legislative attempts. Unless members of Congress and the President are willing to compromise on these core issues, the DSBN may stall like other efforts.