Prospects for a federal law establishing uniform national data security breach notification requirements improved with the July introduction by Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, of the "Personal Data Privacy and Security Act" (S. 1490). Sen. Leahy's bill would establish national standards for data security and for notification of breaches, impose new security rules on data brokers and increase punishments for identity theft. S. 1490 joins legislation on the same topic introduced earlier in the House by Rep. Bobby Rush (D-IL), although the two bills differ in many respects.
Under the Leahy bill, businesses having "sensitive personally identifiable information" in electronic or digital form on 10,000 or more U.S. persons would have to implement a comprehensive data privacy and security program that "includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities." The specific requirements would essentially mirror data security requirements established through Federal Trade Commission (FTC)enforcement cases in recent years.
Beyond establishing data security standards, S. 1490 also would establish a federal law governing notification of security breaches. The bill would impose a general duty to notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.
The Leahy bill includes four titles. Title I would discourage businesses from concealing data breaches by making the intentional and willful concealment of a data security breach for which notice is required a federal felony.
"Data Broker" Regulation
Title II would try to reduce identity theft by regulating the data brokers that sell "personal electronic records" to third parties. The bill does so, generally speaking, by treating such data brokers, and personal electronic records, in a manner similar to credit reports under the Fair Credit Reporting Act. For example, it would give individuals rights of access and to correct, and require notice when an "adverse action" is taken based on sensitive personally identifiable information.
The bill includes a potentially broad definition of "data broker." While including the types of entities-such as Axciom—that one would expect to be covered by data-broker regulation, the bill's definition could also be interpreted to encompass any company that stores, among other data, an individual's first name (or initial) and last name in combination with a Social Security or driver's license number, a biometric identifier, or a person's home address or telephone number, mother's maiden name, or birthday. This could subject a wide range of services, such as social networking websites, that happen to collect information to the requirements applicable to "data brokers."
Title IV would require the General Services Administration (GSA), when considering contract awards totaling more than $500,000 with data brokers, to evaluate the brokers' data privacy and security program regarding personally identifiable information. In this context, S. 1490 defines "personally identifiable information" as information in electronic or digital form "serving as a means of identification." The GSA may take into account a data broker's history with respect to data breaches.
National Security Standard
The data security provisions at the heart of the bill appear in Title III, which would establish a national standard for private businesses on securing "sensitive personally identifiable information." The Leahy bill would preempt the 45 existing state laws establishing security standards for business. It also would apply to more types of information than most state laws now in effect, through an expansive definition of "sensitive personally identifiable information." The bill would exempt businesses subject to security requirements under the Gramm-Leach-Bliley Act, federal functional regulators, state insurance authorities or HIPAA. S. 1490 would not preempt state laws applicable to state and local governmental entities.
The bill would require risk assessments, appropriate steps to minimize identified risks and proper disposal of data when no longer needed. It also contains requirements regarding employee training, regular testing and reassessments in light of changes in technology and changes in an entity's business. Finally, entities that outsource data to entities that are not otherwise covered by the bill would have a specific obligation to exercise due diligence in selecting vendors, and the vendors themselves would need to meet the requirements that apply to the business.
In an effort to provide businesses with some certainty, the legislation would direct the FTC to identify industry privacy and security standards applicable to types of sensitive personally identifiable information. Compliance by a business with the standards applicable to the types of information held by the business would create a "safe harbor" protection.
Businesses would be required to provide notification "without unreasonable delay" following discovery of a security breach. Under the bill, a "security breach" is the compromise of computerized data through "misrepresentation or actions that result in, or there is reasonable basis to conclude has resulted in, acquisition of or access to sensitive personally identifiable information that is unauthorized or in excess of authorization."
The Leahy bill would allow notification to be delayed, or not made, in several circumstances. First, notice may be delayed where the business certifies that disclosure could damage national security or hinder a law enforcement investigation. To prevent a business from invoking this provision to avoid embarrassment or to conceal its own violations of law or inefficiencies, such a certification would be delivered to the U.S. Secret Service, which would assess whether the certification is merited.
Second, S. 1490 would create a "safe harbor" in which notification would not be required if a risk assessment concludes that there is "no significant risk" that a security breach has resulted in, or will result in, "harm" (which is not defined) to the individuals whose sensitive information was subject to the breach. A rebuttable presumption of "no significant risk" is created if the breached data were encrypted or otherwise rendered "indecipherable." The bill does not define an acceptable minimum level of encryption or indecipherability, but defers to existing standards-setting bodies and industry best practices. To avail itself of this safe harbor, a business must provide its risk assessment to the U.S. Secret Service within 45 days of discovery of the security breach. The Secret Service then has 10 business days in which to decide whether notice must be provided.
A third exemption would apply if a business uses a security program designed to block the use of sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of individuals and provides for notice to affected individuals after a security breach that has resulted in fraud. This exemption is limited, and does not apply if the information subject to the breach includes more than merely a credit card number or credit card security code.
In the event of a breach, the bill would require any entity that uses "sensitive personally identifiable information" licensed from another to notify the true owner. The licensing parties may agree between themselves which entity is to give the requisite notice, and this obligation may become a standard issue in outsourcing contracts.
A required notice may be given by postal mail, telephone or email, if the person has consented to electronic notice per the ESIGN Act. If the number of residents whose data was accessed exceeds 5,000 in any single state, an alternative means is the use of major media serving that state. The notice must include:
- A description of the categories of sensitive personally identifiable information that were, or are believed to have been, acquired by an unauthorized person;
- A toll-free number at which the business entity may be contacted for more information; and
- The toll-free telephone numbers and contact addresses for the major credit reporting agencies.
One exception to the general preemption of state laws is that state laws requiring notices to provide information about victim assistance would still apply. Consequently, the notice requirements actually may differ slightly from state to state.
Certain circumstances would require still other notices. If a business must provide notice to more than 5,000 persons, it also must notify the national consumer reporting agencies. If the number of persons affected exceeds 10,000, or if the security breach affects a database containing sensitive personally identifiable information of more than 1 million individuals, or if the breach involves federal government databases or employees and contractors, the business must also notify the Secret Service.
Enforcement would be in the hands of the Attorney General. Civil remedies would include injunctive relief and fines of a maximum of $1,000 per day per individual, to a maximum of $1,000,000 per violation unless the conduct is willful or intentional. State Attorneys General also would be authorized to bring enforcement actions in federal district court, after first notifying the Attorney General, who may then intervene, move to stay the action or bring his own action.
Prospects for federal breach notification legislation are unclear. Congress will certainly have many other issues on its plate when it returns this month. Most likely, the issue will percolate in the remaining months of this year, and legislative activity will become more lively in early 2010. However, now is the time for businesses with concerns about such legislation to make their views known.