A new bill that would require customer notification of data security breaches will fix a big gap in federal regulation, experts say. Currently, companies that conduct interstate commerce are forced to evaluate every breach on a state-by-state basis in order to comply with each state’s breach notification regulations. But the recently introduced Personal Data Privacy and Security Act of 2007 strives to fill in the gaps and supersede state law, in order to create a more effective way to mitigate and prevent identity theft in the United States.
In addition to offering new requirements for providing notice of a breach to individuals, the bill, which was introduced to the Senate for debate on May 23, will establish criminal penalties and law enforcement support to protect personal data. The bill also proposes the creation of an Office of Federal Identity Protection within the Federal Trade Commission to help consumers deal with identity theft.
It’s no surprise that the bill’s sponsor, Sen. Patrick Leahy (D-Vt.), introduced it when he did—in the wake of recent security breaches in the U.S. Veterans Administration and TJ Maxx stores. Leahy, who has long been a champion for data privacy legal reform, introduced an earlier version of the bill in 2005. “The Judiciary Committee favorably reported this bill in November 2005,” Leahy, chairman of the Judiciary Committee, said in February when he introduced the bill. “But, unfortunately, our bill languished on the Senate calendar for more than a year without any action and the Congress adjourned without passing comprehensive data privacy legislation last year.” What’s more, just days before Leahy introduced the bill, the Agency of Human Services in his home state of Vermont reported a data breach, adding a sense of timeliness to his bill.
“While the Congress waited to act on passing data privacy legislation, the problems with data breaches remained a persistent and pernicious threat to Americans’ privacy,” Leahy said.
Companies in the financial services and health industries will be most affected by the security breach notification and enforcement parts of the bill. Although a large part of the legislation deals with new requirements for data brokers, companies already subject to the requirements of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996 are exempt from the new bill’s mandates. “I think that life will be better for all companies, maybe with the exception of data brokers who will be heavily regulated by government,” said Brian Hengesbaugh, a partner at Baker & McKenzie with a focus on privacy and information management. “But for everyone else, at least there will be a federal standard. Many companies will find some real advantages to the passage of this bill.”
“This Act would change things for the financial institutions,” said Paul Bond, an attorney in Reed Smith LLP’s financial services litigation practice area. “Since the financial institutions are inclined to give notice of breaches in any event, due to the disclosure laws of at least 35 states, the federal requirements of giving notice will not be a big change. But the uniform standard imposed by this one federal law would be a welcome relief.” Keeping track of the multitude of state regulations and ensuring compliance of them has become a hassle for companies and their legal counsel. “Right now, there are almost 40 different state laws with breach notification requirements,” Hengesbaugh said. “You then have that many different standards about what data is covered by the breach notifications, who you have to notify and when.”
The new bill will remedy this multistate requirement for companies that do interstate commerce. Although companies that are covered by GLBA or HIPAA are exempt from implementing a data privacy and security program outlined by the bill, they do have to follow the measure of the law in regards to notification.
“In general, any agency, or business entity engaging in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach of such information, notify any resident of the U.S. whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired,” the bill said.
“Additionally, if the company believes that there is no risk of harm resulting from the breach, the Act would allow them to send the results of their investigation to the Secret Service for guidance,” Bond pointed out. Increased federal guidance is important when the consequences of not reporting a breach in a timely matter could result in civil sanctions. In fact, under the bill, a company or person that hides a breach could face criminal punishment.
“The Act would make it a crime to fail to make a required disclosure of a breach,” Bond explained. “When that concealment leads to economic harm, the company that failed to disclose a breach is subject to a fine or imprisonment of up to one year.”
“The criminalization would be a significant factor in the minds of companies when they are trying to decide whether or not to notify consumers of a breach,” Hengesbaugh said. “Where it’s unclear, the fact that you might face criminal penalties would motivate more companies to notify their customers. I don’t know if that’s a good thing or not. We run the risk of flooding people with breach notices.”
Health services companies that are covered by HIPAA will also be subject to the breach notification requirements under the Act, but the legislation is very specific when it comes to the type of data it covers.
“Within the scope of the information that the Act is trying to cover, there is no mention of personal health information, genetic information or medical records,” said James Jacobson, co-chair of Holland & Knight LLP’s national Health Law Team. “It seems that companies covered by HIPAA are required to report a breach, but only when it comes to specific personally identifiable information. Also, they would not be exempt from the criminal penalties for fraudulent actions.”
In fact, the bill focuses on the disclosure of a person’s first and last name, or first initial and last name, in combination with things like a social security number, driver’s license number, home address or telephone number, mother’s maiden name or biometric data like a fingerprint.
Additionally, the Act focuses on breaches that disclose, “a financial account number or credit or debit card number in combination with any security code, access code or password that is required for an individual to obtain credit, withdraw funds or engage in a financial transaction.” This requirement would be a particular concern to financial services companies.
But despite the risk of criminal penalties, the proposed bill protects companies by taking away the right to private causes of action for failure to give timely notice of a breach. A similar rule can be found in GLBA and HIPAA.
“The U.S. Attorney General or state attorneys general would prosecute any such action,” Bond said. “These public officers do not have the same incentive structure as the Plaintiffs’ bar—the attorneys general are in the privacy business for the long haul, and will have the institutional knowledge to accurately assess any situation which may arise.”
Ultimately, this proposed bill may make life better for companies that could potentially suffer data security breaches, especially in the financial services world. But the question remains: will this version of the Act make it through debate on the Senate floor?
“I was very optimistic two years ago that we were going to get some regulation of this kind at the federal level,” Hengesbaugh said. “Now there may be new pressures in the business community and the media that will carry this forward.” Hengesbaugh said the broad focus of the Act might draw out debate and ultimately hamper passage of the bill.
“The thing that will make the passage of the bill harder is that it isn’t just about breach notification,” he said. “It also includes extra provisions on government protection of information. The fact that it has a broader focus means that debate might go on for a long time. I think it would be easier for the bill to get adopted if it just focused on requirements for reasonable security and breach notification. Then you wouldn’t have all these other considerations that will invariably attract more debate and attention.”