As high-profile data breaches continue to make news, it appears Congress could finally pass legislation establishing a national standard for data breach notification. Currently, PII breach notification is governed by a patchwork of state laws, making compliance burdensome and time consuming for affected businesses. To further complicate matters, many states have recently passed or are considering legislation to amend current rules in the wake of recent breaches. However, despite Congress ramping up its efforts to pass federal breach notification legislation and President Obama calling for federal action on data breaches in his State of the Union address, a number of factors still need to be ironed out. They include:
- The extent to which state laws should be preempted. Federal breach notification legislation would obviously set minimum standards, but the question remains whether it should set the ceiling as well. Some members of Congress would likely oppose a law that prevents states from setting a higher standard than the federal minimum. Additionally, whether a federal cause of action would provide the sole remedy for breach notification violations will likely be another subject of debate, along with the enforcement role, if any, of the FTC.
- The types of breaches that trigger a notification requirement. Congress will need to specify which types of information must be put at risk to bring an incident under the federal standard. States have taken a myriad of approaches in this respect, so Congress must determine how broadly or narrowly to construe the definition of “personal information.” There also will be a debate over how much, if any, potential harm a breach must pose before it would trigger a requirement to notify affected parties.
Both chambers of Congress are currently considering legislation that would create a federal standard for breach notification. Some of the more notable bills currently pending include:
- Data Security and Breach Notification Act of 2015. This bill, which was introduced by Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.), was reported favorably out of the House Energy and Commerce Committee in mid-April, although it has not yet reached the House floor. It requires notification to affected individuals when there is a reasonable risk of identity theft, economic harm, or financial fraud; to the FTC and FBI if more than 10,000 people are affected; and to consumer reporting agencies if notice must be provided to more than 10,000 individuals. The bill would preempt state notification laws but would not exempt an entity from common law remedies for violations. Currently, this bill appears to have gained some traction in the House, and the National Retail Federation has spoken out in favor of it.
- Consumer Privacy Protection Act of 2015. Although Sen. Leahy’s (D-Vt.) bill is unlikely to gain traction in the Republican-controlled Senate given the fact that it has only Democratic support, it gives us an idea on where the parties are likely to line up on this issue. For example, unlike the House bill mentioned above, this bill would only preempt state laws less stringent than the federal standard, meaning that companies operating in states with tougher rules would remain subject to the higher standard. Additionally, this bill has a lower notification threshold, requiring notification only when sensitive personally identifiable information has been accessed or acquired, rather than when there is a reasonable likelihood for harm.
- Data Security Act of 2015.This bill was introduced in the House with bipartisan support by Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.) along with its Senate counterpart, S.961, which was introduced by Senators Roy Blunt (R-Mo.) and Thomas Carper (D-Del.). The House version currently has 5 Democratic and 4 Republican cosponsors. This legislation would require entities that handle sensitive information to implement an information security program and notify appropriate parties of data breaches likely to cause identity theft or fraudulent transactions. The bill also contains a strong exclusivity provision to preempt state laws.
These are but a few of the bills introduced in the 114th Congress regarding breach notification, a clear sign that Congress is taking the topic seriously. Additionally, the House Financial Services Committee recently held a hearing regarding data security and breach notification that involved testimony from various stakeholders. We can reasonably expect businesses to lobby for higher notification thresholds and full federal preemption, and for consumer advocacy groups to push for the opposite. Although it is unlikely that any one of these bills will be signed into law in an unmodified form, it seems that there is a strong possibility that Congress and the President will take action on breach notification within the next year or two.