Last week Senator Pat Toomey (R-PA), along with one Independent and six other Republican Senators, introduced the “Data Security and Breach Notification Act of 2013.” The bill would provide businesses and consumers with a single set of rules for notifications in the event certain electronic records are compromised, preempting state data breach notification requirements and several federal laws that contain security requirements.
Generally, the bill would require covered entities to take “reasonable measures” to protect and secure data in electronic form containing “personal information.” In the event unencrypted, non-anonymized and non-public data is compromised or the covered entity reasonably believes the data has been accessed and acquired by an unauthorized person and the covered entity reasonably believes such access and acquisition has caused or will cause identity theft or other actual financial harm, then the covered entity must provide notification to the individuals affected. The bill includes provisions for delayed notification when directed by one of several specified federal agencies that determines notice would compromise a criminal investigation or national security.
Of particular note, the bill would require third-party agents and service providers who become aware of breaches to notify covered entities, who then have the responsibility to notify consumers and law enforcement. Today, most covered entities must contractually negotiate such notice, and when service providers become aware of a compromise, it is often unclear what notification responsibilities arise. Further, the bill would be enforced by the Federal Trade Commission, with violations treated as unfair or deceptive acts or practices under Section 5 of the FTC Act, with limits on liability and no private rights of action. The bill also gives the FTC jurisdiction over common carriers and specifically preempts state data security and breach notification laws, and supersedes Sections 222, 338 and 631 of the Communications Act with respect to the information security practices, including those related to the notification of unauthorized access to data in electronic form.
While both industry and consumers would benefit from a single set of rules for securing data and providing notice when such data is compromised, it is unlikely this bill in this form will provide the answer. The “reasonable measures” required to protect and secure data are unlikely to satisfy Senate Democrats such as CT Senator Richard Blumenthal, who previously introduced the Personal Data Protection and Breach Accountability Act of 2011. That bill set forth specific requirements for creating and maintaining a “personal data privacy and security program,” and created an expanded definition of sensitive personally identifiable information that went far beyond Senator Toomey’s personal information triggers. Nor does the Toomey bill provide the fixed notification timelines previously set forth in legislative proposals, ranging from 48 hours to 60 days. The absence of local law enforcement and state attorney general involvement, as well as credit bureau reporting, further reduces the likelihood of passage in its current form.
While privacy and data security are generally espoused as a bipartisan issue, the current Congress’s partisan split and inability to move legislation generally adds to the hurdles Toomey’s bill faces. There have been many such federal bills introduced over the last 10 years, yet none have made it to the President’s desk. Until both parties can find common ground on issues such as these, companies must still follow the patchwork of federal and state data security laws, notifying consumers of real and suspected breaches of certain information in one state, other information in another, by various methods and under differing timeframes. To view a summary of the state data breach notification laws, click here.