- Who is covered by the legislation?
- What is personal data?
- What is the standard of care for data security?
- What happens when there is a breach?
- Which agency has jurisdiction?
- What about state notification laws?
Who Is Covered By The Legislation?
The legislation defines covered entities to include “all sole proprietorship, partnership, corporation, trust, estate, cooperative, associations, or other entities in or affecting commerce that acquires, maintain, stores, sells, or otherwise uses data in electronic form (i.e. computers, cloud, recordable tapes, and other electronic mass storage devices) that includes personal information over which the Federal Trade Commission has authority.” This includes common carriers and non-profit organizations.
The bill does provide an exemption for entities covered under Health Insurance Portability and Accountability Act (HIPAA) (45 CFR 160.163) and brokers, dealers, investment companies, investment adviser or persons engaged in providing insurance that are subject to Gramm-Leach-Bliley (GLBA) (15 U.S.C. 6801, et seq.)
What Is Personal Information?
Personal Information is “any information or compilation of information in electronic form that includes the following:
An individual’s first and last name or first initial and last name in combination with any one of the following data elements: driver’s license or passport number, or alien registration number.
Any two of the following: Home address or telephone number, Mother’s maiden name, Month, day, and year of one’s birth.
A financial account number, or credit card, or debit card number or other identifier, in combination with any security code, access code, or password that is required for an individual to obtain credit, withdraw funds, or engage in a financial transaction.
A unique account identifier, electronic identification number, biometric data unique to an individual, user name or routing code in combination with any associated security code, access code, biometric data unique to an individual or password that is required for an individual to obtain money, or purchase goods, services, or any other thing of value.
A non-truncated social security number.”
The bill also states that information that is encrypted or rendered unusable and information that is publically available (government records or a new publications) as not being classified as personal data.
What Is The Standard of Care For Data Security?
The proposed bill defines that an entity shall “implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access as appropriate for the size and complexity of such covered entity and the nature and scope of its activities.”
This standard of care will be determined on a case-by-case basis. It will focus not only on the industry practice, but also on the entities’ size and method of information storage. Also, note that the word “practice” has particular importance. Practice might include how an entity is proactive in reviewing its data security system. Having a security system in place without conducting any assessments will not protect you from liability if this bill becomes law.
Here is the link to a previous blog post addressing the issue of being proactive, Data Privacy – How Proactive Are You?
What Happens When There Is A Breach?
To answer this question we will need to address what a breach is? When will the notification take place? And how will the notification take place?
The statute describes a breach as a “compromise of the security, confidentiality, or integrity of, or loss of data in electronic form that a result in, or there is a reasonable basis to conclude…in the unauthorized access of personal information.”
Concerning the question of when the notification must take place, the bill states that the covered entity must notify the Federal Trade Commission of the breach, or the Secret Service or the FBI, if the breach exceeds 10,000 victims or potential victims of identity theft. The covered entity must notify the victims or potential victims within “thirty days after the breach has been discovered and [steps have been taken] to determine the scope and restore the reasonable integrity, security, confidentiality of the data system.”
If a third party was contracted to store, process, or maintain personal data, the third party must contact the covered entity of the breach or it must provide the notification to those affected by the breach if that issue was covered in a contract between the covered entity and the third party. If a service provider discovers a breach, the service provider must contact the covered entity.
It is interesting to note that non-profits have a different set of protocols for a security breach.
Finally, the notification process, as previously stated, must be done within thirty days after the breach has been discovered and corrected. The bill provides an extension of that time in the event that there is an ongoing criminal investigation or there is a threat to national security. The agency requesting the delay must put this request in writing not only to the affected entity, but also to the Federal Trade Commission. Notification can be done via U.S. mail or via email.
The content of the notification must include information of the data that was breached or reasonably breach, a toll free number that the person may contact to discuss the matter with the company, a toll free number for a consumer reporting agency (i.e. credit reporting), and a toll free number and internet website for the Federal Trade Commission to receive information regarding identity theft.
In the event that the contact information for more than 500 individuals is out of date or insufficient, the covered entity can provide substitute notice either through an email or a notice on the covered entity’s website.
Who Has Jurisdiction?
The Federal Trade Commission has jurisdiction regarding issues over data security and data breaches. Failure to comply with either standard of data security or data breaches will fall under the Commission’s unfair or deceptive acts or practices.
The fines for not complying with data security are set at $11,000 per day with a cap of $2,500,000. The fines for not complying with data breach notification are $11,000 per failure to notify a person with a maximum fine of $2,500,000. The fines are adjusted upon inflation. When issuing the penalties, the Commission “will review the degree of culpability, prior conduct, ability to pay, and any other matters” concerning the compromise in security.
What About State Notification Laws?
The bill does intend to preempt state law on those entities that are covered by this bill. Although there is preemption, state attorneys can file lawsuits on behalf of its citizens to enforce this law. However, if the Federal Trade Commission is pursuing an administrative action against a covered entity, then the states are preempted to file any litigation against the covered entity. The legislation does not allow a right to private action.
In conclusion, the Data Security and Breach Notification Act is a step forward in Congress’ attempt to provide a standard for data security and data breach notification. The bill also recognizes and incorporates other data security laws that are currently in place (i.e. HIPAA and GLBA). Since the bill is in its draft form, we can expect changes to this legislation.
Stay tuned for updates regarding this bill and other pending data privacy legislation that Congress will be reviewing in the near future. Please do not hesitate to contact us to discuss how we can help you be ahead of the curve before Congress passes new legislation.
