On July 20, 2011, the House Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic (SAFE) Data Act (“SAFE Data Act” or “Act”) in a voice vote. The text of the bill is available here. The measure will now move to the full Energy and Commerce Committee for consideration. The bill would establish a national standard for when companies are required to notify consumers that their unencrypted personal information has been accessed or acquired and for notifying the Federal Trade Commission (“FTC”) and law enforcement of a security breach.
The bill applies to all persons and companies subject to the jurisdiction of the FTC and any tax-exempt organizations under Section 501(c) of the Internal Revenue Code; however, entities subject to HIPAA and Gramm-Leach Bliley will be exempt from the Act in certain circumstances. Under the current version, only data containing personal information related to commercial activity is protected. Personal information is defined as the consumer’s name, or address or phone number combined with one or more of the following pieces of information: social security number, government identification number (e.g., driver’s license number), or financial account identification number (if the codes or passwords needed to gain access to the financial account are included).
The Act would require notification to the FTC within 48 hours of discovering an information breach, and notification to consumers “as promptly as possible” but not later than 45 days after discovery of such breach. Notification can be delayed by law enforcement, the National Security Agency, or the Homeland Security Agency if it is determined that such notification will threaten an investigation or national or homeland security. Additionally, the Act would require persons subject to the Act to maintain policies and procedures with respect to (i) the collection, use, sale and other dissemination of data containing personal information, (ii) a process for identifying reasonably foreseeable vulnerabilities through regular monitoring, (iii) for taking preventive and corrective action, and (iv) for properly disposing of data containing personal information in electronic and non-electronic form. Additionally, persons who own or possess data containing personal information must also establish a plan for minimizing the amount of personal information they keep. The FTC is required to adopt regulations implementing the Act within 1 year of its passage.
As currently drafted, the bill raises some serious issues. First, the type of personal information subject to a breach notice is limited to financial information or information that might be used for identity theft. Democrats on the subcommittee wanted to include medical data under the Act but Republicans rejected any amendments introduced to expand the definition of personal information stating that the purpose of the Act is to protect consumers’ financial information and against identity theft, and that other forms of private data should be addressed in separate legislation. Moreover, the Act limits the FTC’s ability to modify the definition of personal information.
Second, the Act would preempt State and local laws that impose similar information security or breach notification requirements with respect to any entity subject to the Act, and would preempt civil actions under State law for violation of information security or breach notification requirements unless brought by a State official. Such a broad preemption could have the effect of minimizing the effect of state data breach laws without putting equivalent or stronger federal protections in place. Because cable operators would be subject to the provisions of the Act, the Act amends Section 631(c)(1) of the Communications Act to remove the information security requirements currently applicable to cable operators.
Third, persons subject to the Act are not required to notify consumers and the FTC of data breaches if the persons make a “reasonable determination that the breach of security presents no reasonable risk of identity theft, fraud, or other unlawful conduct ….” Thus, data breaches like the recent breach announced by Citibank may never be made public (however, financial institutions will still be required to comply with the Gramm-Leach Bliley and may still be required to report all data breaches and identify internally all consumers whose encrypted data may have been accessed or acquired). Further, the bill establishes a presumption that “no reasonable risk of identity theft, fraud, or other unlawful conduct exists” if the disclosed data is unusable, unreadable, or indecipherable due to encryption or other security technology.