As an extension of our forecast of upcoming cyber-related legislation, on April 15, the House Energy & Commerce Committee approved the Data Security and Breach Notification Act of 2015 (H.R. 1770), adopting three amendments that were proffered during the markup. The bill will now move to full House floor consideration next week.
The following is a brief summary of some of the bill’s current key provisions (subject to change):
- Preemption—The Act would expressly preempt state law.
- Information Security Standard—The Act would require Covered Entities (CEs) to implement and maintain “reasonable security measures and practices” to protect personal information in electronic form against unauthorized access and acquisition. The standard would allow for flexibility based on the CE’s characteristics, clarifying that security measures should be “appropriate for the size and complexity” of the CE as well as the “nature and scope of its activities.”
- Definition of Personal Information—The Act would apply to information in electronic form, such as name, date of birth, address, phone number, driver’s license or other government-issued identification numbers, and social security numbers. Data such as financial account information and unique account identifiers would be considered personal information if in combination with certain security codes or passwords. Further, amendments adopted yesterday added to the definition of personal information: (i) user names or email addresses in combination with a password or security question and answer that would permit access to online accounts; and (ii) any information pertaining to the transmission of specific calls (e.g., numbers dialed or time, location, or duration of calls). However, encrypted information as well as publicly available information would be exempted.
- Breach Notification Trigger—The bill would set forth a risk of harm analysis, requiring CEs to determine whether there is a risk of identity theft, economic loss or harm, or financial fraud to affected individuals. Notification would not be required where there is no reasonable risk that the breach will result in one of the above harms.
- Notification Timing—CEs would be required to provide notice no later than 30 days after the CE has restored its system and identified the impact of the breach. This timeline is, arguably, a more favorable approach for CEs than the otherwise “date of discovery” rule because it would allow the CE to first focus on mitigating the security threat and determining the scope of the incident before the “clock” to notify impacted consumers would begin.
- Third-Party Vendors—The bill would impose notice requirements on third-party vendors but would give the non-breached covered entity (whose data was the subject of the breach) the option to notify impacted customers. Specifically, unless there is no reasonable risk of harm, vendors must notify the non-breached entity of a breach within 10 days of restoring the system and identifying the impact. The non-breached entity would then have 10 days to elect to provide notice, after which notice to affected individuals must be provided within 25 days (by whomever chooses to provide it). Notably, Internet Service Providers subject to the Communications Act would not be subject to these requirements.
- FTC Enforcement—The bill would empower the FTC to enforce the Act but would not grant the FTC rulemaking authority.
- State Enforcement—State Attorneys General (AGs) would have the authority to bring civil actions for violations that would affect its residents; however, State AGs must provide prior written notice of the action (or instantaneous notice, where prior notice is not feasible) as well as a copy of the complaint to the FTC. The FTC would have discretion to intervene in State actions, but State AGs would be barred from bringing an action for violations where the FTC has already instituted a Federal civil action. An amendment adopted yesterday also preserved State AGs’ ability to bring actions for breaches involving health information, if the AG has generally enforced prior similar actions.
- Civil Penalties—The bill would set a cap on penalties against first time violators: maximum liability for all violations related to a single incident would be limited to $8,760,000 for failure to maintain reasonable security practices and $17,520,000 for breach notification violations.
- Private Actions—The Act would not allow for a private right of action.
Congress is intently focused on cybersecurity legislation, and it is expected that the Senate Cybersecurity Information Sharing Act of 2015 (CISA) bill will go to the floor in the coming weeks. It is possible that the Data Security and Breach Notification Act of 2015 could be offered as an amendment to CISA. Also, as predicted, Senators Roy Blunt (R-MO) and Tom Carper (D-DE) reintroduced their data breach legislation yesterday.