As part of its cyber security legislative proposal unveiled on May 12, the Obama administration sent to Congress a proposed Data Breach Notification bill that would supersede similar state laws. If enacted, the bill would dramatically simplify response to data breaches involving residents from multiple states—a process that is now a maze of requirements, often requiring near instant legal judgment under 50 or more statutes as to whether a single breach event is a covered notice event. In short, the current maze of state laws has been great for vendors of breach notification services, but less sensible for national and global companies attempting to achieve compliance with needlessly diverse and even competing legal requirements.
If enacted, the Administration’s bill would apply broadly to all companies engaged in interstate commerce that use, access, transmit, store, dispose of or collect “sensitive personally identifiable information” (SPII) about more than 10,000 individuals during any 12-month period. As a practical matter, therefore, the proposed bill would apply to all but the smallest of e-commerce companies and companies that store information about individuals, but would exclude from coverage numerous businesses who handle little personal information beyond that of their employees.
“Sensitive Personally Identifiable Information” is defined more broadly than in most state data breach notification statutes; in addition to the usual combination of first and last name, home address, birth date, telephone number, passwords, and/or Social Security Number (or other government-issued unique identification number), the proposed bill also covers individuals’ unique biometric data (e.g., finger print, voice print, retina or iris image, other unique physical representations) and unique account identifiers (e.g., financial account numbers, credit/debit card numbers, electronic ID numbers, user names, routing codes, etc.). The bill also gives the Federal Trade Commission (FTC) the authority to modify and expand the scope of SPII.
If a business covered by the proposed bill discovers a security breach of protected information, it must notify:
- Individuals whose protected information was, or is reasonably believed to have been, accessed or acquired, generally within 60 days of the discovery of the breach. The notice required under the proposed bill must consist of both individual notice, which can be written, telephonic, or through e-mail, and media notice, which must be given in each state where the number of residents of the state whose SPII was compromised exceeds 5,000. Note that the media notice requirement is in addition to the requirement to individually notify affected individuals; individual notice must always be given.
- Consumer reporting agencies, within 60 days of the discovery of the breach, of the timing and distribution of notices to individuals, IF the business is required to notify more than 5,000 individuals overall.
- An entity to be designated by the Secretary of Homeland Security, IF 1) the number of individuals whose SPII was compromised exceeds 5,000; 2) the breach involves a database, network, or integrated databases that stores SPII for over 500,000 individuals nationwide; 3) the breach involves databases owned by the Federal Government; or 4) the compromised SPII belongs to employees or contractors of the Federal Government involved in national security or law enforcement. This notification must be made 72 hours prior to notification to individuals whose SPII has been compromised, or 10 days after the discovery of the breach, whichever comes first.
As is the case under many state breach disclosure laws, email notice to individuals would be permitted only if the individual entitled to notice has consented to receive such notices by email and the notice is consistent with provisions of the Electronic Signatures in Global and National Commerce Act (“E-SIGN Act”).
Critically, the proposed bill includes a “safe harbor” from the requirement to notify individuals if a risk assessment supports a conclusion that there is no reasonable risk that a security breach has or will result in harm to the individuals whose SPII has been compromised. If the SPII is encrypted or otherwise unusable, unreadable, or indecipherable through the use of accepted information security methods, there is a rebuttable assumption that no reasonable risk (and therefore no individual notice obligation) exists. If a company takes advantage of this safe harbor, it must notify the FTC, in writing, within 45 days of the discovery of the breach of its decision to invoke the risk assessment exemption and must also report the results of the risk assessment performed. Businesses are also not required to provide notice to individuals if the Secret Service or the Federal Bureau of Investigation determines that doing so would impede a law enforcement investigation or undermine national security.
The requirement to notify the FTC of a security breach even when the compromised information is encrypted is a departure from most state data breach notification statutes, which don’t require businesses to notify state government officials if reliance upon the encryption exemption is the reason for not notifying affected individuals. While there is little time required to notify the FTC, the requirement has the practical effect of exposing many additional breach events to federal consumer protection authorities, thereby potentially triggering follow-up inquiries or even proceedings. The FTC has brought 50 or more investigations culminating in consent decrees in the information security space, so this is an area for special attention. Among other aspects, this notification requirement would lead to a spike in notifications to the FTC that the current staff would likely be challenged to respond to individually, without additional appropriations for staffing and other resources. The Agency, which was involved in the drafting of the bill, is aware that the encryption criteria in many state breach laws is the factor that permits many companies to avoid notice obligations, even where the Agency might itself make a reasonable judgment that the breach nevertheless (a) was a result of weak or deceptive information security practices and policies, where FTC enforcement action is warranted, and/or (b) exposed affected data subjects to substantial risk of harm.
The proposed bill gives power to the FTC to investigate and enforce the proposed act and adopt rules and regulations it deems necessary. State Attorneys General are also given the power to bring civil actions in United States district courts to enjoin actions that harm the interest of the residents of their states, enforce compliance with the proposed federal bill, and most importantly, seek civil penalties of not more than $1,000 per day per individual whose SPII was compromised, up to a maximum of $1,000,000 per violation. The FTC, however, would be allowed to act to stay or consolidate actions by state Attorneys General. State Attorneys General are also prohibited from bringing suit if the FTC has already initiated a proceeding or action related to a data breach for a violation of the proposed legislation. Unsurprisingly, the proposed bill does not provide a private cause of action for individuals whose SPII has been compromised.
The White House has made available a useful section by section analysis of its proposal. Time will tell how Congress reacts.