Senator Pat Toomey [R-Pa] introduced on June 21 a bill, the Data Security and Breach Notification Act of 2012 (the Data Breach Act), which could become the Federal data breach notification law. If enacted, entities collecting and maintaining personal information would have to secure this information, and would also have to provide notice to individuals affected by a breach of security involving personal information.
The Data Breach Act would preempt State laws (Section 6), and would take effect one year after its enactment.
Senator Tooney published a statement explaining why he believes such a law is needed:
"A number of recent high-profile data breaches combined with the messy patchwork of 46 different state laws highlight how difficult it is for consumers to know their personal information is secure. Congress needs to provide businesses and consumers with certainty and establish a single reasonable standard for information security and breach notification practices. Our bill would eliminate the burden of complying with varying standards and laws, ensuring that all consumers and their personal information are afforded the same level of protection."
Scope of the Data Breach Act
The bill would cover entities over which the Federal Trade Commission (FTC) has authority pursuant to section 5(a)(2) of theFTC Act, and also common carriers subject to the Communications Act of 1934.
Howvever,financial institutions subject to Title V of the Gramm-Leach-Bliley Act would be exempt from the Data Breach Act, as would entities covered by the regulations issued under 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the extent that such entities are subject to the requirements of such regulations with respect to protected health information.
The covered entities would have to “take reasonable measures to protect and secure data in electronic form containing personal information” (Section 2). The bill does not, however, define what these ‘reasonable measures’ should be, which could lead to uncertainty for businesses.
Personal information would not include information “encrypted, redacted, or secured by any other method or technology that renders the data elements unusable” (Section 5(5)(B)(ii)). Therefore, it seems that encrypting personal information would serve as a safe harbor for covered entities.
Notification of Information Security Breach
The Data Breach Act would define a “breach of security” as an “unauthorized access and acquisition of data in electronic form containing personal information” (Section 5(1)).
Each covered entity owning or licensing personal data would have to notify individuals of a security breach, if their personal data was or may have been affected by the breach. Entities would have only to notify American citizens or residents, Section 3(a)(1). Therefore, if a breach on an U.S. system affects the data of, say, international clients of a company, a covered entity could argue that it does not have to notify them of the breach. In practice, though, international clients could not be ignored without some public relations damage. The entity would also have to inform the FBI of any breach of security which may affect more than 10,000 persons, Section 3(a)(2).
If the system where the breach occurred is maintained by a third party, the third party will have to notify the covered entity of the breach, which in turn will notify individuals, Section 3 (b)(1)(A). ISPs would not be considered a third party by the Act, Section 3(b) (1) (C). However, an ISP becoming aware of a breach involving data owned by one of its entity-customers would have to notify the entity of the breach, if the covered entity can be ‘reasonably identified.’
Timeliness of Notification
Covered entities would have to notify individuals affected by the security breach “as expeditiously as practicable and without unreasonable delay,” Section 3 (c) (1). However, the notification may be delayed if a Federal law enforcement agency requests so in writing in order to avoid that the notification impedes a civil or a criminal investigation, or if a Federal national security agency requests it in writing if the notification would threaten national or homeland security. In both cases, the notification may be held for a “reasonably necessary period,” which would be determined by the Federal agency requesting the delay, Section 3(c)(2)(A) et Section 3(c)(2)(B).
Method and Content of Notification
The notification could be accomplished by mail, telephone, or by email. It would have to contain the date or the estimated date of the breach, as well as the range of the breach. It would also have to contain a description of the personal information that was accessed and the contact information an individual affected by the breach may use to learn more about the breach, and to find out which personal data was held the entity covered by the breach, Section 3 (d).
A substitute notification would be authorized instead of a direct notification to the affected individual if a direct notification is not feasible because of excessive cost relative to the entity’s resources, or if the entity does not have sufficient contact information for the individual affected by the breach. Such substitute notification could be a “conspicuous notice” on the entity’s web site, or a notification published or broadcast by major media in the areas where the affected individuals may live, Section 3 (d)(2).
In practice, this may lead to some disparities. If a deep-pocket company suffers a breach, but is unable to contact the affected individuals directly because it does not have their contact information, it could then choose to publish or broadcast the notification. It would have to do so at least all around the U.S. territory, and one could even argue that it would have to be done around the world, as U.S. citizens living abroad may be affected by the breach as well.
An entity with lesser means may not be able to do so, as such publication would be quite expensive. A direct notification might not be feasible because of the high cost for the company, yet a substitute notification would be even more expensive if the entity does not have enough information about the affected individuals to contact them. Some small companies process a huge volume of personal data, yet may not have the financial capacity to notify all the individuals concerned by the breach.
Violating section 2 and section 3 of the Data Breach Act would be considered unfair or deceptive acts or practices under the FTC Act, and the FTC would have the power to enforce the Data Breach Act.
The maximum civil penalty for a covered entity having violated the Data Breach Act would be $500,000 for all violations of section 2 and $500,000 for all violations of section 3 resulting from a single breach of security, Section 4 (c) (3)(A)&(B). There would be no private cause of action against a person for violation of the Data Breach Act, Section 4 (d).
It is not the first time that such a bill has been introduced in Congress. Last year, S. 1207, the Data Security and Breach Notification Act of 2011, was introduced by Senator Mark Pryor [D-AR}, which itself was a re-introduction of S. 3742 during the 111th Congress. S1207 was not enacted. It remains to be seen if Senator’s Toomey’s bill is to have the same fate.
However, the bill has already received the support of AT&T, in a statement by Tim McKone, Executive Vice President of Federal Relations, which read:
“The security of our customers’ personal information is of utmost importance to us and is a priority in how we conduct our business. That is why we are pleased by Senator Toomey’s thoughtful and comprehensive bill, the ‘Data Security and Breach Notification Act of 2012.’ It is a common sense bill that will eliminate uncertainties and ultimately consumer confusion by establishing uniform requirements.”
The CTIA, the Wireless Association, also supports the bill. Jot Carpenter, its Vice President of government affairs issued this statement:
“CTIA welcomes the introduction of Senator Toomey’s bill. By advancing a proposal that offers a comprehensive, uniform approach to data security and breach notification, Senator Toomey demonstrates that it is possible to protect consumers while providing clear, consistent guidelines to businesses.”
Another data breach notification bill, H.R. 3730, sponsored by Rep. Joe Donnelly [D-IN], the Veterans Data Breach Timely Notification Act, has recently passed the House Veterans’ Affairs Subcommittee. The bill is not as inclusive as the Data Security and Breach Notification Act, as it would only require the Secretary of Veterans Affairs to provide notice to veterans whose sensitive personal information is involved in a data breach.