Category: Privacy, Data Protection & Security

1. Who is covered by the legislation?
2. What is personal data?
3. What is the standard of care for data security?
4. What happens when there is a breach?
5. Which agency has jurisdiction?
6. What about state notification laws?

Who Is Covered By The Legislation?

The legislation defines covered entities to include “all sole proprietorship, partnership, corporation, trust, estate, cooperative, associations, or other entities in or affecting commerce that acquires, maintain, stores, sells, or otherwise uses data in electronic form (i.e. computers, cloud, recordable tapes, and other electronic mass storage devices) that includes personal information over which the Federal Trade Commission has authority.” This includes common carriers and non-profit organizations.

The bill does provide an exemption for entities covered under Health Insurance Portability and Accountability Act (HIPAA) (45 CFR 160.163) and brokers, dealers, investment companies, investment adviser or persons engaged in providing insurance that are subject to Gramm-Leach-Bliley (GLBA) (15 U.S.C. 6801, et seq.)

What Is Personal Information?

Personal Information is “any information or compilation of information in electronic form that includes the following:

An individual’s first and last name or first initial and last name in combination with any one of the following data elements: driver’s license or passport number, or alien registration number.

Any two of the following: Home address or telephone number, Mother’s maiden name, Month, day, and year of one’s birth.

A financial account number, or credit card, or debit card number or other identifier, in combination with any security code, access code, or password that is required for an individual to obtain credit, withdraw funds, or engage in a financial transaction.

A unique account identifier, electronic identification number, biometric data unique to an individual, user name or routing code in combination with any associated security code, access code, biometric data unique to an individual or password that is required for an individual to obtain money, or purchase goods, services, or any other thing of value.

A non-truncated social security number.”

The bill also states that information that is encrypted or rendered unusable and information that is publically available (government records or a new publications) as not being classified as personal data.

What Is The Standard of Care For Data Security?

The proposed bill defines that an entity shall “implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access as appropriate for the size and complexity of such covered entity and the nature and scope of its activities.”

This standard of care will be determined on a case-by-case basis. It will focus not only on the industry practice, but also on the entities’ size and method of information storage. Also, note that the word “practice” has particular importance. Practice might include how an entity is proactive in reviewing its data security system. Having a security system in place without conducting any assessments will not protect you from liability if this bill becomes law.

Here is the link to a previous blog post addressing the issue of being proactive, Data Privacy – How Proactive Are You?

What Happens When There Is A Breach?

To answer this question we will need to address what a breach is? When will the notification take place? And how will the notification take place?

The statute describes a breach as a “compromise of the security, confidentiality, or integrity of, or loss of data in electronic form that a result in, or there is a reasonable basis to conclude…in the unauthorized access of personal information.”

Concerning the question of when the notification must take place, the bill states that the covered entity must notify the Federal Trade Commission of the breach, or the Secret Service or the FBI, if the breach exceeds 10,000 victims or potential victims of identity theft. The covered entity must notify the victims or potential victims within “thirty days after the breach has been discovered and [steps have been taken] to determine the scope and restore the reasonable integrity, security, confidentiality of the data system.”

If a third party was contracted to store, process, or maintain personal data, the third party must contact the covered entity of the breach or it must provide the notification to those affected by the breach if that issue was covered in a contract between the covered entity and the third party. If a service provider discovers a breach, the service provider must contact the covered entity.

It is interesting to note that non-profits have a different set of protocols for a security breach.

Finally, the notification process, as previously stated, must be done within thirty days after the breach has been discovered and corrected. The bill provides an extension of that time in the event that there is an ongoing criminal investigation or there is a threat to national security. The agency requesting the delay must put this request in writing not only to the affected entity, but also to the Federal Trade Commission. Notification can be done via U.S. mail or via email.

The content of the notification must include information of the data that was breached or reasonably breach, a toll free number that the person may contact to discuss the matter with the company, a toll free number for a consumer reporting agency (i.e. credit reporting), and a toll free number and internet website for the Federal Trade Commission to receive information regarding identity theft.

In the event that the contact information for more than 500 individuals is out of date or insufficient, the covered entity can provide substitute notice either through an email or a notice on the covered entity’s website.

Who Has Jurisdiction?

The Federal Trade Commission has jurisdiction regarding issues over data security and data breaches. Failure to comply with either standard of data security or data breaches will fall under the Commission’s unfair or deceptive acts or practices.

The fines for not complying with data security are set at $11,000 per day with a cap of $2,500,000. The fines for not complying with data breach notification are $11,000 per failure to notify a person with a maximum fine of $2,500,000. The fines are adjusted upon inflation. When issuing the penalties, the Commission “will review the degree of culpability, prior conduct, ability to pay, and any other matters” concerning the compromise in security.

What About State Notification Laws?

The bill does intend to preempt state law on those entities that are covered by this bill. Although there is preemption, state attorneys can file lawsuits on behalf of its citizens to enforce this law. However, if the Federal Trade Commission is pursuing an administrative action against a covered entity, then the states are preempted to file any litigation against the covered entity. The legislation does not allow a right to private action.

In conclusion, the Data Security and Breach Notification Act is a step forward in Congress’ attempt to provide a standard for data security and data breach notification. The bill also recognizes and incorporates other data security laws that are currently in place (i.e. HIPAA and GLBA). Since the bill is in its draft form, we can expect changes to this legislation.

Stay tuned for updates regarding this bill and other pending data privacy legislation that Congress will be reviewing in the near future. Please do not hesitate to contact us to discuss how we can help you be ahead of the curve before Congress passes new legislation.

Who Is Covered?

The proposed bill covers all types of business entities, profit and not for profits.  State and Federal governments are not covered.

How Is Data Defined?

The proposed bill has a detailed definition of personal information. The bill defines “sensitive personally identifiable information” as “any information or compilation of information in electronic or digital form that includes:

• An individual’s first and last name or first initial or last name in combination with any two of the following data elements: home address or phone number; mother’s maiden name; month, day, and year of birth.
• One’s complete Social Security number, driver’s license, passport number, alien registration number or government issued unique identification number
• Biometric data
• A unique account identifier (i.e. credit card number, financial account number, routing code, electronic identification number, and user name).
• User name or e-mail address in combination with a password or security question and answer
• A combination of data elements.”

What Is The Protocol?

Pursuant to the proposed legislation, notification would apply to all business entities “engaged in or affecting interstate commerce, that uses, access, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12 month period…” Notification is required immediately after the discovery of the breach, however one can request a thirty-day extension, unless a federal law enforcement agency requests for additional time due to an active investigation.

The bill also provides company with exceptions from compliance. Exceptions can include, but not limited to matters of national security, the information was encrypted, security programs that automatically notifies the user of a fraudulent use of the credit card. 

The other exemption is the risk assessment exception. The risk assessment exception is when an entity conducts a study of its data security system and shows that the data breach would pose no reasonable risk due to how the information is protected.  The risk assessment is evaluated under the data security standards. Failure to comply with these standards would be a violation under the unfair or deceptive trade standard. The risk assessment exception must be in writing and documentation of the assessment must be shown within thirty-days after the alleged incident.

If there are no exceptions, notice must be given to the victims. The notice must include the description of their personal information that was hacked, a toll free number that the individual may call the entity for further information, major credit reporting agencies, the Federal Trade Commission, and any assistance that the state may provide where the victim may live. 

Who Has Jurisdiction?

The Federal Trade Commission has jurisdiction under the proposed legislation. As previously stated, the Federal Trade Commission would use the unfair or deceptive trade standard to enforce any and all violations. 

What Is The Impact To State Notification Laws?

The proposed legislation would supersede all state notification laws as it applies to the entities as already defined.  However, state attorneys can file a data breach action against the entities only if “the interest of residents of that State has been or is threatened or adversely affected by the engagement of a business entity in a practice that is prohibited under this title or the failure to meet a requirement imposed under this title…” If the state does meet this standard, it can impose, among other things, a $1,000 Dollar fine per victim up to $1,000,000 Dollars.

Potential Issues:

With any new proposed legislation, there are many issues that Congress and the White House would need to work on. 

One of the first issues involves the jurisdiction matter concerning the other data breach statues. Currently, there are federal data breach provisions for the medical sector (HIPPA and HITECH), financial sector (GLBA), and the education sector (FERPA). Although entities covered under HITECH, there are no exemptions under the other aforementioned legislation. Any federal data breach legislation needs to either exempt the aforementioned legislation or incorporate them into the legislation. Failure to do so would result in confusion, such as double jeopardy if two federal agencies were prosecuting the same entity under different federal legislation covering data breaches.

Congress also needs to clarify the state’s role under this section. The question of double jeopardy would also apply here if a state files suit after the Federal Trade Commission issued its administrative decision. 

We can expect more data breaches occurring such as the one impacting Target, Sony, or even our own government in 2015. The pressure of having a federal data breach will mount with each breach. However, both Congress and the White House would need to work together to develop data breach legislation that is clear, concise, and complements the other federal data breach provisions.

We will keep you updated regarding the progress of this legislation and please do not hesitate to contact us to discuss ways that we can help your company become data privacy compliant prior to any federal data breach law is passed. 

With increased media and government scrutiny of data privacy matters, customers are demanding more from businesses and the government. Customers expect the information they give you is safe from unauthorized use by your employees or outsiders. Indeed, government regulators around the world are also starting to encourage, and in some cases require, companies to protect their citizens’ privacy. Market forces and government regulations are forcing many corporations how to apply protection standards. For many companies and organizations – small and large – the question is how?

PobleteTamargo attorneys, working alongside data privacy technology experts at ProPrivatus as well as senior public policy advisors, can assist you in this fast-changing data privacy arena. We will help you assess vulnerabilities regarding the management of the customer’s confidential information. Our legal team and Certified Information Privacy Professionals (CIPP) will help your organization create custom strategies to better ensure date privacy.

Using privacy principals that are in use for almost twenty years, we offer the following services:

• Privacy gap and risk analysis
• Reviewing and developing your business strategic privacy plan
• Designing privacy policies and procedures consistent with U.S. and international laws and regulations
• Legal representation before state and federal agencies
• Data Breach management Data Privacy advice and training

Additional Reading

• Gramm-Leach-Bliley Act of 1999 (GLB)
• Fair Credit Reporting Act of 1970 (FCRA)
• Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
• Telecommunications Act, Communications Decency Act Electronic Communications Privacy Act of 1986 (ECPA)
• Computer Fraud and Abuse Act of 1986 (CFAA)
• Foreign Intelligence Surveillance Act of 1978 (FISA)
• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
• Communications Assistance for Law Enforcement Act of 1994 (CALEA)
• Right to Financial Privacy Act of 1978 (RFPA)
• National Security Letters (NSLs)

The FTC is one of the federal agencies that currently has administrative jurisdiction regarding whether or not corporations had adequately protected consumer’s data privacy. This study provides you with a general idea of what reasonable care looks like. Reasonable care can be summed up in one word: proactive. How proactive is your company protecting data? Being proactive is not a one-time event for data privacy.

Being proactive requires you not only to assess, devise, and implement a data privacy plan, but it also requires you to assess whether or not your data privacy policy is sufficient in the changing world of technology. Being proactive also includes training and educating your staff with the data privacy protocols and the necessary changes in those protocols. 

Failures in being proactive may cost your company not only fines at an administrative level, but it will also damage your reputation in the marketplace.

Although FIPA does not define reasonable measures, looking at what the FTC requires through their enforcement actions does provide us with an idea of what reasonable measures looks like. And while there is no cookie-cutter approach – every business is different, even within the same fields – you can begin to consider what may or may not work for you by reviewing these recent enforcement actions. 

Working in conjunction with data privacy professionals at ProPrivatus, your data privacy and legal compliance team offers the following services:

1. Privacy gap and risk analysis
2. A privacy strategic and business plan
3. Privacy advice and training
4. Designing privacy policies and procedures
5. Breach Management.

Unfortunately, the hacks, coupled with Target’s failure to follow through on its own data security system, were not acted on until the Department of Justice notified them of the breach. The technology revolution has changed the world, as it has retail as we know it. Information formerly stored in secure warehouses is now somewhere in the ether, forcing small and large businesses to begin to think about how to protect their information and ultimately their reputations from hackers.

In short, Good privacy is good business. Good privacy practices are a key part of corporate governance and accountability. One of today’s key business imperatives is maintaining the privacy of personal information.

As business systems and processes become increasingly complex and sophisticated, organizations are collecting growing amounts of personal information. As a result, personal information is vulnerable to a variety of risks, including loss, misuse, unauthorized access, and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments, and the public in general.

Organizations are trying to strike a balance between the proper collection and use of their customers’ personal information. Governments are trying to protect the public interest and, at the same time, manage their cache of personal information gathered from citizens.

Consumers are very concerned about their personal information, and many believe they have lost control of it. Furthermore, the public has a significant concern about identity theft and inappropriate access to personal information, especially financial and medical records, and information about children.

Individuals expect their privacy to be respected and their personal information to be protected by the organizations with which they do business. They are no longer willing to overlook an organization’s failure to protect their privacy. Therefore, all businesses need to effectively address privacy as a risk management issue.