Who Is Covered?
The proposed bill covers all types of business entities, profit and not for profits. State and Federal governments are not covered.
How Is Data Defined?
The proposed bill has a detailed definition of personal information. The bill defines “sensitive personally identifiable information” as “any information or compilation of information in electronic or digital form that includes:
- An individual’s first and last name or first initial or last name in combination with any two of the following data elements: home address or phone number; mother’s maiden name; month, day, and year of birth.
- One’s complete Social Security number, driver’s license, passport number, alien registration number or government issued unique identification number
- Biometric data
- A unique account identifier (i.e. credit card number, financial account number, routing code, electronic identification number, and user name).
- User name or e-mail address in combination with a password or security question and answer
- A combination of data elements.”
What Is The Protocol?
Pursuant to the proposed legislation, notification would apply to all business entities “engaged in or affecting interstate commerce, that uses, access, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12 month period…” Notification is required immediately after the discovery of the breach, however one can request a thirty-day extension, unless a federal law enforcement agency requests for additional time due to an active investigation.
The bill also provides company with exceptions from compliance. Exceptions can include, but not limited to matters of national security, the information was encrypted, security programs that automatically notifies the user of a fraudulent use of the credit card.
The other exemption is the risk assessment exception. The risk assessment exception is when an entity conducts a study of its data security system and shows that the data breach would pose no reasonable risk due to how the information is protected. The risk assessment is evaluated under the data security standards. Failure to comply with these standards would be a violation under the unfair or deceptive trade standard. The risk assessment exception must be in writing and documentation of the assessment must be shown within thirty-days after the alleged incident.
If there are no exceptions, notice must be given to the victims. The notice must include the description of their personal information that was hacked, a toll free number that the individual may call the entity for further information, major credit reporting agencies, the Federal Trade Commission, and any assistance that the state may provide where the victim may live.
Who Has Jurisdiction?
The Federal Trade Commission has jurisdiction under the proposed legislation. As previously stated, the Federal Trade Commission would use the unfair or deceptive trade standard to enforce any and all violations.
What Is The Impact To State Notification Laws?
The proposed legislation would supersede all state notification laws as it applies to the entities as already defined. However, state attorneys can file a data breach action against the entities only if “the interest of residents of that State has been or is threatened or adversely affected by the engagement of a business entity in a practice that is prohibited under this title or the failure to meet a requirement imposed under this title…” If the state does meet this standard, it can impose, among other things, a $1,000 Dollar fine per victim up to $1,000,000 Dollars.
Potential Issues:
With any new proposed legislation, there are many issues that Congress and the White House would need to work on.
One of the first issues involves the jurisdiction matter concerning the other data breach statues. Currently, there are federal data breach provisions for the medical sector (HIPPA and HITECH), financial sector (GLBA), and the education sector (FERPA). Although entities covered under HITECH, there are no exemptions under the other aforementioned legislation. Any federal data breach legislation needs to either exempt the aforementioned legislation or incorporate them into the legislation. Failure to do so would result in confusion, such as double jeopardy if two federal agencies were prosecuting the same entity under different federal legislation covering data breaches.
Congress also needs to clarify the state’s role under this section. The question of double jeopardy would also apply here if a state files suit after the Federal Trade Commission issued its administrative decision.
We can expect more data breaches occurring such as the one impacting Target, Sony, or even our own government in 2015. The pressure of having a federal data breach will mount with each breach. However, both Congress and the White House would need to work together to develop data breach legislation that is clear, concise, and complements the other federal data breach provisions.
We will keep you updated regarding the progress of this legislation and please do not hesitate to contact us to discuss ways that we can help your company become data privacy compliant prior to any federal data breach law is passed.