On September 22, 2010, the Consumer Protection, Product Safety, and Insurance Subcommittee of the Senate Committee on Commerce, Science, and Transportation ("Subcommittee") held a hearing to discuss data security legislation recently introduced by Senators Pryor (D., AR) and Rockefeller (D., WV)-S. 3742, The Data Security and Breach Notification Act of 2010.
Witnesses at the Subcommittee's hearing included Maneesha Mithal, the Federal Trade Commission's Associate Director for the Division of Privacy and Identity Protection-a division of the Bureau of Consumer Protection-as well as industry and consumer protection organization representatives from TechAmerica, the Consumer Union, and the American Hospital Association.
The Senate's introduction of new data security legislation and recent hearing provide further examples of the increased scrutiny that federal entities have brought to data security and privacy practices in the past year.1 The Senate's recent bill joins a string of similar legislation aimed at regulating data security and privacy practices. While most of these bills are still pending in their respective Congressional chamber, in December 2009, the House of Representatives passed H.R. 2221-the Data Accountability and Trust Act. The introduction of S. 3742, which provides similar data security and breach notification requirements, brings legislators one step closer to creating comprehensive federal data breach and security regulation.
S. 3742-The Data Security and Breach Notification Act of 2010
Similar to H.R. 2221, the Senate's bill contains three major requirements regarding data security and information privacy:
- Entities that possess individual's personal information would be required to adopt reasonable and appropriate data security protection measures, including methods to dispose of electronic and non-electronic data;
- Such entities would be required to notify affected consumers and the Federal Trade Commission ("FTC") of data security breaches; and
- Information brokers would have to implement reasonable procedures to ensure data accuracy, provide consumers access to their data, and allow consumers to dispute inaccurate information.
The Act applies to persons and entities that are regulated by the FTC pursuant to Section 5 of the FTC Act and non-profit entities, including charities and educational institutions. The bill's application to Section 5 entities and specific non-profit entities, as defined in the bill, would exempt some industries from coverage, including telecommunications common carriers, which are exempt from FTC regulation under the FTC Act. The Senate's bill would also give the FTC a wide-range of authority to promulgate and enforce data security, breach notification, and information broker regulations. S. 3742 would preempt similar state data security and breach notification laws, but would provide states' attorneys general enforcement authority and the ability to collect civil penalties.
The Senate's Hearing Highlights Trends and Concerns Regarding Data Security and Privacy
Senators and witnesses at the September 22 hearing provided a broad range of suggestions and concerns related to the bill, highlighting some of the obstacles Congress may encounter in passing federal data security and privacy legislation.
The FTC generally supported the Senate's new bill, but recommended that the Senate enlarge its scope to cover security breaches that involve both paper and electronic records and require telecommunications common carriers to comply with the bill's provisions, by providing the FTC authority to regulate these entities under this legislation, despite the FTC Act's common carrier exemption. The FTC's recommendations regarding telecommunications providers, however, failed to discuss federal laws that already protect personal information maintained by telecommunications common carriers, including Section 222 of the Communications Act and the Federal Communications Commission's ("FCC") related Customer Proprietary Network Information ("CPNI") rules requiring entities to enact data security safeguards and provide breach notification to consumers, the FBI, and the Secret Service.
The FTC's testimony also highlighted general principles the FTC believes are important for data security, providing an indication of the FTC's direction if a bill requiring the FTC to promulgate regulations is passed. The FTC's principles include:
- Entities that make claims about data security should ensure that such claims are accurate;
- Entities should be required to protect against well-known, common technology threats;
- Entities must know with whom they are sharing customers' sensitive information;
- Entities should not retain sensitive consumer information after that organization no longer needs the information for business or legal reasons; and
- Entities should always dispose of sensitive consumer information in a secure manner.
Industry advocates expressed concern, as did some Senators, that S. 3742 may impose dual or conflicting legal requirements on some entities, such as entities that are already required to comply with the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act; and could over-notify consumers about security breaches that do not present a risk of identity theft or fraud.
The Senate Committee on Commerce, Science, and Transportation has indicated that it will hold a mark-up on S. 3742 next week.