The United States House of Representatives took a major step this week toward enacting a national data breach notification law.
H.R. 2221, the Data Accountability and Trust Act (DATA), cleared the House with a voice vote. In its current form, DATA requires businesses to notify customers and the Federal Trade Commission (FTC) if sensitive information has been exposed to a security breach.
If the U.S. Senate can reconcile its own approach to data breach notification legislation with DATA, a new federal standard will emerge. If signed into law by President Barack Obama, a federal data breach ¬law would pre-empt the jumbled mass of dozens of state laws. "You'd be better served by federal legislation if the federal legislation has teeth and doesn't pre-empt the state's law," said California state senator Joe Simitian, speaking to executive editor Scot Petersen in September. "If there was a meaningful standard at the national level, I think many states would be happy to accept it."
Aside from the data breach notification required by the HITECH Act, DATA would put into place the first national law of its kind. H.R. 2221, sponsored by House Subcommittee Chair Rep. Bobby L. Rush of Illinois. The law specifically states that:
"Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data --
- notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and
- notify the Federal Trade Commission.
It is "unacceptable that in 2009 there is no comprehensive federal law that requires all companies that hold consumers' personal information to protect that data," Rush said. "It is equally unacceptable that there is no federal law requiring companies that experience a data breach to provide notice to those consumers whose personal information was compromised."
The data breach notification requirement would not apply to an entity if the compromised information is considered by the FTC to be "unusable, unreadable or indecipherable" by encryption or other security technology.
DATA also provides latitude for the FTC to determine that "any person who is required under any other federal law to maintain standards and safeguards for information security and protection of personal information that provide equal or greater protection than those required under this subsection" to be in compliance. Such a determination extends only to oversight by, for example, the Health Insurance Portability and Accountability Act, not state data breach laws. DATA caps civil penalties that states could impose at $5 million per violation.
Focus on information brokers
H.R. 2221 also focuses special attention on information brokers, who must under DATA "submit their security policies to the commission in conjunction with a notification of a breach of security … or upon request of the commission."
The requirement for security policies to govern firms that that store personally identifiable information is similar to those in place in the Gramm-Leach-Bliley Act. These security policies include:
(A) A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information.
(B) The identification of an officer or other individual as the point of contact with responsibility for the management of information security.
(C) A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system maintained by such person that contains such electronic data, which shall include regular monitoring for a breach of security of such system.
(D) A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.
(E) A process for disposing of obsolete data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or undecipherable.
Additionally, after a data breach, the commission would be instructed to conduct an audit of the information security practices of information brokers or require them to conduct an independent audit of such practices. DATA requires that information brokers "establish measures which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data in electronic form containing personal information collected, assembled, or maintained by such information broker."
DATA also creates a new mechanism for information brokers to offer consumers the ability to prohibit personal data to be used for marketing purposes. That addition comes in a week where the prospect for increasedFTC compliance rules for behavioral marketing was raised in an online privacy workshop.
DATA contains an exemption for the security policies above for electronic communication by a third party stored by telecommunications carriers, cable operators, information services, interactive computer service, deferring to the coverage of section 3 of the Communications Act of 1934.
Passing this comprehensive data privacy legislation is one of my highest legislative priorities as chairman of the Judiciary Committee.
Senator Patrick Leahy (D-Vt.)
For compliance officers who follow standard security precautions of equal or greater strength to those set out by DATA, yesterday's passage should hold little fear, as their operation are likely to be in FTC compliance.
Information brokers and compliance officers alike now have reason to watch the progression of data breach notification bills through the Senate. The Personal Data Privacy and Security Act (S. 1490), introduced by Sen. Patrick Leahy of Vermont, cleared the Senate Judiciary Committee but has never come to a vote on the Senate floor. Leahy's bill, like DATA, would pre-empt state data breach notification laws, along with setting security information standards for federal government agencies.
"This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," Leahy said in a statement. "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as chairman of the Judiciary Committee."
No likely action until 2010
Whether Leahy's aspiration is realized will likely be a question for the 112th Congress in 2010. Sen. Dianne Feinstein of California has also introduced a data breach notification act, S. 139. "S. 139 is basically CA SB 1386 [California's data breach law], introduced by Feinstein at the national level," said John Bace, senior analyst for public policy at Stamford, Conn.-based Gartner Inc.
"That said, multiple vehicles of legislation is not a bad idea," he said. "Virtually everything that was in S.139 is in S. 1490. Both would lift the burden of people who have to do business in a multistate environment, from having to look at 46 different data breach laws."
Let us know what you think about the story; email firstname.lastname@example.org.