On July 20, 2011, the House Subcommittee on Commerce, Manufacturing, and Trade voted to send the “Secure and Fortify Electronic Data Act” (the SAFE Data Act), H.R. 2577 the full House Energy & Commerce Committee, moving it one step closer to passage. The bill, sponsored by Representative Mary Bono Mack (R-Calif.), seeks to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide nationwide notice of a security breach.” H.R. 2577, p.1. The current text of the bill can be found at this link.
According to Representative Bono Mack, the SAFE Data Act was promulgated to address recent cyber attacks and other data breaches at companies such as Sony, Epsilon, and Citigroup. Bono Mack Introduces Legislation to Protect Consumers From Identity Theft (July 19, 2011),
The law would create a national breach notification standard that would supercede 46 state laws (plus District of Columbia and Puerto Rico laws) that require companies to notify individuals of security breaches involving their personal information. The Subcommittee debated several amendments to the legislation, focusing in particular on issues relating to the rulemaking authority of the Federal Trade Commission (FTC) and the definition of personal information.
Under the current version of the bill, personal information is defined as an individual’s first name or initial and last name, or address, or phone number, in combination with certain other personal information, such as the person’s Social Security number, driver’s license number, passport number, financial account number or credit or debit card number. Democrats tried unsuccessfully to expand the definition of personal information to cover geo-location information relating to children, online communications, over-the-counter drug usage information; online searches for disease-related information; and information about video and book rentals and purchases. Amendments approved during the Subcommittee hearing including clarification that certain of the Act’s information security obligations would apply to paper records in addition to electronic records and limited the FTC’s ability to alter certain aspects of the law such as the definition of personal information.
If passed, the Act would mark a shift in the federal approach to privacy. Currently, federal privacy legislation is sector based (e.g., health, financial, children and education), and the states have passed a patchwork of security breach notification laws. The federal law would go a long way toward providing much needed consistency in the area of data security and privacy.
Although there are many notable provisions in the bill, the remainder of this article outlines the most significant provisions of the Act.
SECTION 2. Requirements for Information Security
The SAFE Data Act tasks the Federal Trade Commission (“FTC”) with promulgating rules to ensure that “any person (“Person”) engaged in interstate commerce that owns or possesses data containing personal information related to that commercial activity” establishes and implements policies in accordance with the Act. H.R. 2577, p.2:5-7. In making such rules, the Act directs the FTC to consider the size, nature, scope and complexity of activities of the Person, the state of the art in protecting such information, and the cost of implementing the rules. Id. at 2:15-22.
The Act notes that the rules established by the FTC should include: (A) a security policy for the collection, use, sale, dissemination and maintenance of personal information; (B) the identification of an officer responsible for managing information security; (C) a process for identifying and monitoring vulnerabilities in data systems; (D) a process for rectifying vulnerabilities in data systems; (E) an appropriate process for disposing of data in electronic form; and (F) a standard method for destruction of paper documents. Id. at 3:1-25; 4:1-6. The FTC will also require that the Person establish procedures which minimize the amount of data collected to that which is necessary for the business purposes of that Person. Id. at 4:7-14.
SECTION 3. Notification and Other Requirements in the Event of a Breach of Security
Any Person who collects and maintains data in an electronic form will, in the case of a breach of a security system, be required to notify Federal law enforcement, take steps to prevent further breach, identify affected individuals, and, if the individuals face a reasonable risk of identity theft or fraud, notify the FTC and each affected individual within 48 hours. Id. at 4:20-25; 5:1-25.
If the breach occurs at a third-party agent or a service provider, the third party or service provider must also notify Federal law enforcement, take steps to prevent further breach, and notify the Person as promptly as possible. Upon receiving notification of a third party or service provider breach, the Person must determine if the individuals affected face a reasonable risk of identity theft or fraud, and if so, notify the FTC and each affected individual within 48 hours. Id. at 6:1-11; 7: 1-9.
If the Person is required to notify more than 5,000 individuals of a security breach, the Person must also notify major credit reporting agencies. Id. at 7:10-21.
Additionally, a Person must provide affected individuals notice not later than 45 days after discovery of a breach. However, if a Federal law enforcement agency determines that notification would impede a civil or criminal investigation, notification can initially be delayed by up to 30 days, and the law enforcement can revoke the delay or extend the delay if necessary. If a Federal National security or homeland security agent requests a delay, such agent can delay notification for an amount of time that the agent deems necessary, and can also revoke the delay or extend the delay if necessary. Id. at 7:22-24; 8:1-25; 9:1-9.
A Person required to give notification to affected individuals must give “Direct Notification” by providing a “conspicuous and clearly identified notification” by one of the following methods: written notification; or notification by email if the primary communication has been by email or if the individual has consented to receive notifications by email. The notification should include: a description of the personal information that may have been acquired; a telephone number that the individual can use, at no cost, to contact the Person to inquire about the breach; notice that the person is entitled to receive free quarterly credit reports for two years, or credit monitoring for two years; the toll-free numbers of credit reporting agencies; and a toll-free number for the FTC. Id. at 9:11-24; 10:1-24; 11:1-23.
The Person can provide “Substitute Notification” in lieu of “Direct Notification” if the Person owns information pertaining to fewer than 1,000 individuals and direct notification is not feasible due to the excessive cost or a lack of sufficient contact information for the affected individuals. The substitute notice must be accomplished by an email notification to the extent the Person has the email addresses of the affected individuals, a conspicuous notice on the Person’s website of a breach, and notification in print and broadcast media. The substitute notice should contain notice that the individuals are entitled to receive free quarterly credit reports for two years, or credit monitoring for two years and a telephone number by which the individual can learn whether their information is included in the breach. The Act tasks the FTC with determining the circumstances under which substitute notice may be provided. Id. at 11:1; 12:1-24; 13:1-25; 14:1-25; 15:1-25; 16:1-22.
Generally, if the electronic information owned by the Person is “unusable, unreadable, or indecipherable” due to encryption or other security technology or methodology, there will be a presumption that a breach of that information poses no reasonable risk of identity theft, fraud, or other unlawful conduct. The Act directs the FTC to issue guidance regarding technology which makes data unusable. This presumption can be rebutted by showing that the encryption or other technology was compromised. Id. at 16:23-24; 17:1-25; 18:1-6.
Additionally, if the FTC believes that notification of the breach on its own website would be beneficial, the FTC may place such notice in a clear and conspicuous location on the website. Within one year of the enactment of the Act, the FTC must also conduct a study relating to whether notification to individuals should be provided in languages other than English. The FTC may also promulgate any other laws which will aid it in implementing and enforcing the Act. Id. at 18:7-24; 19:1-2.
SECTION 4. Application and Enforcement
The requirements of sections 2 and 3 of the Act apply to those over whom the FTC has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act and any organization described in section 501(c) of the Internal Revenue Code that is exempt from taxation under 501(a) of that Code. Id. at 19:4-14.
A violation of section 2 or 3 will be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act. The FTC may enforce this Act with the same powers and jurisdiction as the provisions of the Federal Trade Commission Act. A violation of the Act may amount in a civil penalty of $11,000 for every day a Person is not in compliance with section 2 or section 3, with the penalty to be reassessed by the Consumer Price Index to reflect inflation rates. The maximum total liability under the Act is $5,000,000 for all related violations of section 2 and $5,000,000 for all related violations of section 3 resulting from a single breach in security. Id. at 19:4-14; 21:1-25; 22:1-9
The attorney general of a state, or an official or agency of the state, as parens patriae, may bring a civil action on behalf of the residents of the state to enjoin further violation of the Act, to compel compliance with the Act, or to obtain civil penalties under the Act. The state shall provide the FTC with a copy of its complaint. Id. at 20:10-25; 22:1-25; 23:1-8.
Upon notification that a state is bringing action under the Act, the FTC may intervene in the action, be heard on all matters arising under the action, and file petitions for appeal. If the FTC has filed an action under the ACT, no state attorney general or official agency of the state may bring an action during the pendency of that action. However, the attorney general may still conduct investigations, administer oaths or affirmations, or compel attendance of witnesses or production of discovery. Id. at 23:18-25; 24:1-4.
If an entity is covered by the Health Insurance Portability and Accountability Act (“HIPAA”) or the Gramm-Leach-Bliley Act (“GLBA”), that Person is exempt from the requirements of section 2 and 3 of this Act. However, if a Person is subject to the jurisdiction of the FTC under section 505(a)(7) of the GLBA, such Person will be subject to the requirements of this Act. Id. at 24:4-25; 25:1-23.
SECTION 6. Relation to Other Laws and Conforming Amendments
This Act supercedes any provision of a statute, regulation, or rule of a State that contains requirements for information security practices similar to section 2 of the Act, or requirements notification of a breach of security similar to section 3 of the Act. Additionally, no attorney general of a state, or an official or agency of the state may bring an action under the laws of that state if the action is premised in whole or in part by a provision of this Act. However, this Act does not limit the enforcement of the state’s consumer protection laws, state trespass, contract, tort law or other state laws that relate to fraud. Id. at 30:11-24; 31:1-19.
SECTION 7. Effective Date
The Act will take effect one year after enactment of the Act. Id. at 32:1-3.