Reps. Burgess, Blackburn and Welch Release Data Breach Bill

On Thursday, March 12, 2015, House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade Chairman Michael Burgess (R-TX), along with Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT), released draft text of new data security and breach notification legislation.  The bill, titled “Data Security and Breach Notification Act of 2015,” would create a federal uniform data security and breach notification standard.

The bill is very similar to other breach notification bills introduced in recent weeks, in that it would require covered entities to implement systems to secure private data and would require notice to affected individuals in the event of a breach.  However, the security requirements are more broad in nature; indeed, the bill requires covered entities to only “implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access as appropriate for the size and complexity of such covered entity and the nature and scope of its activities.”  A summary released by the subcommittee states, “The requirement is a technology and process neutral standard to protect consumers while being flexible enough to allow for innovation and new technologies.”

Covered entities are defined as “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other entity in or affecting commerce that acquires, maintains, stores, sells, or otherwise uses data in electronic form that includes personal information, over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act.”  The definition exempts entities covered by the Health Insurance Portability and Accountability Act, (HIPAA) as well as those governed by the Gramm-Leach-Bliley Act.

Under the bill, covered entities would be required to give notice of a breach to consumers no later than 30 days after discovery of a breach, unless there is no risk of identity theft or economic harm due to protective measures, such as encryption of data.  If the breach affects more than 10,000 people, the affected entity must also notify the Federal Trade Commission (FTC), FBI and Secret Service, as well as the consumer credit reporting agencies.  Affected entities may provide notice either through written mail or email.

As with other proposals, enforcement power would be given to the FTC, while state attorneys general would also have the power to bring civil actions in U.S. district court.  The bill would preempt all state laws governing data security and breach notification.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.