Posted by Anne Shelby
Could this be the year that Congress enacts comprehensive data security and breach notification legislation? As the seemingly endless stream of news stories announcing the latest breaches continue, Members of Congress consistently voice their support for uniform national laws. Washington insiders and observers have expressed divergent predictions: some are optimistic while acknowledging the challenges of such legislation, while others are less so, often pointing to the fact that similar circumstances surrounded the proposed CAN-SPAM Act, which took four years to become law.
At a panel discussion at the International Association of Privacy Professional’s (IAPP) Annual Privacy Summit in Washington D.C. in March, counsel to Senate and House committees with pending bills weighed in with surprising optimism. The two counsel reported that staff-level discussions were ongoing, and that their respective chairmen have issued edicts that a privacy bill must get to the floor this year. The panelists agreed that hurdles to privacy legislation this year include other more urgent issues on Members’ agendas, the need for an adverse event to motivate lawmakers, and the difficulty of agreeing on the standards for identifying which data breaches require consumer notification. All panelists conceded that privacy issues cut across the jurisdiction of multiple committees, and that these committees’ efforts to address their particular concerns can make passage difficult, though not impossible. The Senate counsel asserted that a proposal is more likely to make it to the Senate floor, since the Senate does not have sequential committee referrals. The speakers noted that the most difficult issue for committee conferences will be determining whether the consumer notification should be whether a “reasonable” or “significant” risk of harm would result from the breach.
On a less hopeful note, one anonymous lobbyist for the banking industry noted that “data security is going to be bogged down in jurisdictional bickering ….”, while another observer noted that “it’s more of a big mess this year.” (Stacy Kaper, Suddenly, Banks Seem to Like Data Bill Impasse, American Banker, Feb. 27, 2007 at 1). Some analysts have questioned the Senate’s will, given the paltry attendance of two Senators at a recent hearing on Senator Feinstein’s proposal.
In sum, given the inconsistent prognostications coming out of Washington, together with Congress’ understandable focus on Attorney General Gonzales and the Iraq war, it is too soon to say whether a privacy bill will pass Congress this session. In the meantime, here is a brief overview of the pending legislation.
Senators Leahy and Specter introduced the “Personal Data Privacy and Security Act of 2007” (PDPSA) on February 6, 2007. Their bipartisan bill, S.495, is substantially the same as last session’s bill. In the 109th Congress, the bill passed the Judiciary Committee but then languished on the Senate floor due to a jurisdictional dispute with the Commerce Committee. At present, the bill is with the Judiciary Committee.
The scope of S.495 is ambitious and far-reaching. This comprehensive proposal contains breach notification provisions, extensive regulation of data brokers, requirements for certain businesses to implement a data and security program, and regulation of government access to and use of commercial data. The bill also authorizes criminal and civil penalties.
S.495’s breach notice requirements are as follows: any agency or business engaged in interstate commerce that discovers a breach of “sensitive personally identifiable information” must notify any U.S. resident whose information has been, or is reasonably believed to have been accessed or acquired. The agency or business must also notify the owner or licensor of sensitive personally identifiable information after a breach. “Sensitive personally identifiable information” is defined to include any information or compilation thereof, in electronic or digital form serving as a means of identification including the following: (1) an individual’s first name or initial and last name together with (2) either their social security number, driver’s license, passport or legal resident registration numbers, unique biometric measurements or financial information, and (3) the password or access code. Sensitive personally identifiable information also includes a name together with a home address or telephone number and a mother’s maiden name or birthdate. Notice must be given “without unreasonable delay,” unless a Federal law enforcement agency determines that notifications would impede a criminal investigation. Law enforcement agencies would have immunity from liability for any act relating to the delayed notification.
The form of notice can be mail, email or telephone. If more than 5,000 individuals are affected, the entity must notify the major media outlets where the individuals reside. The entity must notify all credit reporting agencies if over 1,000 persons are affected. An entity must provide notice to the U.S. Secret Service if the number of affected individuals exceeds 10,000, if the breach involves Federal government databases or if the breach involves primarily information of employees and contractors of the Federal government involved in national security or law enforcement.
The bill contains three primary exceptions to its breach notice requirement. First, if an entity certifies that it reasonably expects that notification would damage national security or hinder a law enforcement investigation, that entity is exempt from the notice requirement. Second, a “safe harbor” exception provides that an entity will be exempt if it (a) performs a “risk assessment” and concludes that there is no “significant risk” that the breach has resulted in or will cause harm to the affected individuals; (b) notifies the U.S. Secret Service of that assessment “without unreasonable delay” and within 45 days, and (c) the U.S. Secret Service does not direct that notice is necessary within 10 days. Third, businesses that have in place financial fraud prevention programs are exempt from the notice requirement if the program blocks the use of sensitive personally identifiable information to make unauthorized financial transactions and provides notice to affected individuals after a breach results in fraud or unauthorized transactions. Most credit card companies have this type of program.
The bill assigns enforcement of distinct provisions to the Federal Trade Commission (FTC), Secret Service, and state and Federal attorneys general. In addition, S.495 provides criminal and civil penalties for individuals who “intentionally and willfully conceal” a security breach that causes economic damage to at least one person. Punishment could include up to five years’ imprisonment and civil fines. The bill also mandates review of the Federal Sentencing Guidelines for identify theft and other related offenses.
Personal Data Privacy and Security Programs
S.495 also sets forth a series of requirements for business entities’ privacy and data security programs. Covered businesses include entities engaged in interstate commerce involving sensitive personally identifiable information in electronic or digital form on over 10,000 U.S. persons. Exemptions exist for financial institutions covered by the Gramm-Leach-Bliley Act and entities covered by HIPAA. A safe harbor exists for businesses that maintain a program equal to industry standards, as identified by the FTC.
The data privacy and security programs would be required by S.495, if it is enacted, to include “administrative, technical and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities.” The bill also includes requirements related to program design, ongoing risk assessments, risk management and control, employee training, vulnerability testing, and contracting with service providers.
Data brokers engaged in interstate commerce must disclose to a requesting individual, for a reasonable fee, all personal electronic records pertaining to that individual that are maintained specifically for disclosure to third parties requesting such information. The disclosure must contain guidance on procedures for correcting inaccuracies, and the data broker must analyze the complaint within 30 days. Data brokers subject to the access and accuracy guidelines of the Federal Credit Reporting Act, Gramm-Leach-Bliley Act or HIPPA are exempt from these provisions. Both the FTC and state attorneys general in cooperation with the FTC are authorized to enforce this provision. Penalties for negligent noncompliance are up to $1,000 per day, capping at $250,000. Penalties for willful violations are double the negligence fines.
Government Use of Commercial Data
S.495 also addresses government access and use of commercial data. The General Services Administration would need to evaluate the privacy and security programs of outside contractors and commercial data brokers before entering into contracts valued at more than $500,000. One year after enactment of S.495, all federal agencies would be required to assess the data security safeguards of data brokers. Finally, the bill would require the Department of Justice to appoint an agency-wide chief privacy officer whose duties would include privacy impact assessments of all DOJ use of commercial databases containing personally identifiable information.
Senator Feinstein has also reintroduced a bill governing data breaches and notification. The “Notification of Risk to Personal Data Act of 2007” (S.239) is nearly identical to the breach and notice sections of Senators Leahy and Specter’s S.495. S.239 is now with the Judiciary Committee. Senator Feinstein’s bill covers any federal agency or business engaged in interstate commerce that uses, accesses, transmits, stores, disposes of, or collects “sensitive personally identifiable information.” The term is defined as it is in S.495.
After the discovery of a data breach, the covered entity must notify without “unreasonable delay” both (1) any US resident whose information may have been accessed or acquired and (2) the owner or licensee of any breached information the covered entity does not own or license. The U.S. Secret Service would need to be notified in cases where the breach occurs in a database maintained by the Federal government or containing national security or law enforcement data. The bill also requires covered entities to announce breaches to major news media if the breach involves over 5,000 individuals’ information. As with the Leahy-Specter proposal, this bill would preempt concurrent state breach laws.
Senator Feinstein’s bill contains the same three primary exceptions as those outlined above for S.495: (1) an exception in instances where a risk assessment evaluation concludes that there is no “significant risk” of harm and notice is given to the U.S. Secret Service if no notice to consumers issues, (2) an exception for businesses with programs to block unauthorized use of financial information, and (3) exceptions for instances where notice would damage national security or hinder a law enforcement investigation. This bill delegates enforcement to Federal and state attorneys general.
S.239 does not address data brokers.
The House of Representatives
The competing House data security proposal is the “Data Accountability and Trust Act” (DATA) (H.R.958), a bipartisan bill proposed by Representatives Rush and Stearns. Like its Senate counterparts, it too was introduced in 2005. This bill is part of a group of bipartisan legislation proposed to combat pretexting, spyware, social security number misuse and data protection. It is now with the Energy and Commerce Committee, with sequential referral to the Judiciary Committee.
This proposal differs from the Senate proposals in several respects. First, throughout the bill it charges the FTC with studying numerous aspects of data privacy and security, and with promulgating further regulations implementing the bill. Second, the breach notice in H.R.958 has a narrower exception for businesses who engage in a “risk assessment” to determine whether to notify consumers: the standard is whether a “reasonable risk,” as opposed to a “significant risk” of consumer harm exists. In addition, H.R.958 requires entities to report all large breaches to the FTC, even if the entity issues consumer notification. Third, a conditional exemption exists for breach of encrypted data. Fourth, the information broker provisions are more rigorous and require more reporting on the part of the brokers. Finally, the bill provides guidance for the destruction of obsolete paper and other nonelectronic information.
Within one year of H.R.958’s enactment, the FTC must require each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish and implement policies and procedures to protect that information. The bill sets forth several factors the FTC would consider in creating those policies, and would also establish requirements for each entities’ information protection program. The requirements would include: establishing a policy for information collection, storage and flow; identifying a responsible person in the organization; assessing reasonably foreseeable vulnerabilities, including regular monitoring; taking preventative and corrective action with respect to those weaknesses; and enacting a process for disposal of obsolete electronic data. This section of H.R.958 allows the FTC latitude to exempt entities in compliance by virtue of their compliance with other Federal laws governing data security.
The bill also requires the FTC to study the issue of destruction of obsolete paper records containing personal information and authorizes it to issue related regulations.
H.R.958 requires information brokers to submit their security policies to the FTC after a security breach or upon the FTC’s request. The FTC will then audit the policies or require the broker to conduct an independent audit. H.R.958 also requires information brokers to establish “reasonable procedures” to verify the accuracy of the personal information they collect, and to provide consumers with access to and the ability to correct personal information. The FTC may promulgate rules exempting consumer reporting agencies subject to the Fair Credit Reporting Act to the extent that law overlaps with H.R.958. The bill also requires the FTC to issue regulations requiring information brokers to maintain an audit log of all accessed and transmitted electronic data of personal information. In a seemingly incongruous section, H.R.958 also prohibits information brokers from engaging in pretexting. Finally, the bill exempts telecommunication carriers, cable operators, information services or interactive computer services from compliance with the information security and information brokers portion of the bill.
H.R.958’s notification provision is broad: any person engaged in interstate commerce that owns or possesses electronic data containing personal information must, after a security breach, notify each individual who is a U.S. citizen or resident and notify the FTC. Third party vendors maintaining electronic data need only notify the owners of the data in the event of a breach. The owner is then required to comply with the H.R.958 notice provisions. Telecommunications carriers, cable operators, information services or interactive computer services have limited notification obligations when they detect transmission of personal information resulting from a security breach.
H.R.958 requires notification “as promptly as possible and without unreasonable delay” after discovery of a breach. Notification may be achieved through “written notification” or email. The bill also sets forth the contents of the notice, and authorizes substitute notification for entities with personal data of fewer than 1,000 individuals and for whom notification is infeasible due to excessive cost or lack of sufficient contact information. The FTC is tasked with promulgating guidelines concerning substitute notification.
In addition to providing notice, an entity incurring a security breach must also provide free consumer credit reports to affected individuals within two months of the breach. Also, once the FTC receives notification of a breach and determines that it would be in the public interest, it must post a notice of the breach on its website.
As noted above, H.R.958 exempts an entity from providing notice after a breach if it determines that there is no “reasonable risk of identity theft, fraud, or other unlawful conduct.” Further, encrypted data is presumed to pose no reasonable risk, although that presumption may be rebutted with evidence that the encryption is reasonably likely to be compromised. The bill then tasks the FTC with promulgating further regulations regarding exemptions, including those resulting from other technology rendering data indecipherable. H.R.958 also requires the FTC to study the practicality and cost effectiveness of notification in languages in addition to English.
The FTC and state attorneys general in coordination with the FTC may enforce violations of H.R.958. The bill states that a violation must be treated as an unfair and deceptive act or practice in violation of the FTC Act’s proscription of unfair or deceptive acts. H.R.958 provides for civil penalties as follows. The fine for failure to comply with the information security policies requirements or the information broker regulations is calculated by multiplying the number of violations by an amount under $11,000. Each day that an entity is not in compliance is treated as a violation; the maximum civil penalty is capped at $5,000,000.
The penalty for violation of the notice provisions of H.R.958 is calculated by multiplying the number of violations by an amount under $11,000. Each unsent notice is treated as a separate violation, and the maximum penalty is $5,000,000.
As with the Leahy-Specter and Feinstein proposals, H.R.958 preempts all state legislation in the field it covers.
Representative Lamar Smith has proposed a bill requiring notification of Federal law enforcement officials of certain data breaches and expanding the criminal code as part of the Republican “America’s Law and Order Agenda.” The “Cyber-Security Enhancement and Consumer Data Protection Act of 2007” (H.R.836) requires businesses and government agencies to notify the U.S. Secret Service or FBI of breaches involving (1) personal information of 10,000 or more individuals whose loss causes a “significant risk of identity theft”; (2) databases owned by the Federal Government; or (3) electronic data containing means of identifying Federal government employees or contractors involved in national security or law enforcement matters. The bill provides civil and criminal penalties for hiding such data breaches. In addition, Representative Smith’s bill defines computer fraud to include acquisition of personally identifiable information without authorization and to include any conspiracy to gain illicit access to computers. It also targets botnets. H.R.836 delegates rulemaking to the US Attorney General and Secretary of Homeland Security, with implied enforcement powers to state attorneys general.
Representative Smith paired this bill with a proposal requiring ISPs to keep records on subscribers (Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2007 (SAFETY Act) (H.R.837).