In recent weeks, both state and federal regulators have considered security breach notification legislation. On June 15, 2012, Connecticut Governor Dannel Malloy signed a budget bill that, among other things, amends the state’s security breach notification law. The changes, which will take effect on October 1, 2012, most notably require businesses to notify the state Attorney General no later than the time when notice of a security breach is provided to state residents. Although the law does not specify when notice must be provided to affected individuals, the law states that such notice must be made “without unreasonable delay,” subject to law enforcement delays and the completion of an investigation by the business to determine the nature and scope of the incident, to identify affected individuals, or to restore the reasonable integrity of the data system. As we previously reported, Vermont also recently amended its breach notification statute to require businesses to notify the state Attorney General within 14 days of discovering a security breach or concurrently when notifying consumers, whichever is sooner.
The amendment to the Connecticut statute coincides with Senator Pat Toomey’s (R-PA) introduction of the Data Security and Breach Notification Act of 2012 (the “Toomey Bill”) on June 21, 2012. The Toomey Bill, co-sponsored by Senators Olympia Snowe (R-ME), Jim DeMint (R-SC), Roy Blunt (R-MO) and Dean Heller (R-NV), would create a national breach notification law. Under the enforcement of the Federal Trade Commission, the Toomey Bill would require covered entities to notify affected individuals whose personal information was, or the covered entity reasonably believes has been, accessed and acquired by an unauthorized person, but only if the entity “reasonably believes [the breach] has caused or will cause, identity theft or other financial harm.” Notice to affected individuals must be provided “as expeditiously as practicable and without unreasonable delay.” A covered entity also would be required to notify the Secret Service or the FBI of the breach if the number of affected individuals exceeds 10,000. In addition to it breach notification provisions, the Toomey Bill requires covered entities to “take reasonable measures to protect and secure data in electronic form containing personal information.” “Covered entities” as defined in the Toomey Bill do not include financial institutions subject to Title V of the Gramm-Leach-Bliley Act or HIPAA-covered entities, which are exempt from the bill’s requirements.
Like many of the state breach notification laws, the Toomey Bill provides a substitute notification option that is available when providing direct notice would result in “excessive costs” to the covered entity (relative to the entity’s resources) or when the covered entity lacks sufficient contact information. Substitute notification entails posting a conspicuous notice on the entity’s website or in print and to broadcast media where the affected individuals reside. Violations of the Toomey Bill would be treated as unfair or deceptive acts or practices, as defined by Section 5 of the FTC Act. Covered entities who fail to provide proper notice under the bill would face a maximum civil penalty of $500,000 for a single breach.
In his press release, Senator Toomey stated that “[a] number of recent high-profile data breaches combined with the messy patchwork of 46 different state laws highlight how difficult it is for consumers to know their personal information is secure,” adding that his bill would preempt state statutes and “eliminate the burden of complying with varying standards and laws.”
The Toomey Bill is the latest Congressional attempt to create a national data breach notification standard. As we previously reported, similar federal legislation has been introduced, including the Personal Data Privacy and Security Act of 2011, the Data Breach Notification Act of 2011 and the Personal Data Protection and Breach Accountability Act of 2011.