Seeking Compromise on Data Breach Notice BillMeasure Would Void 47 State Notification Statutes
A draft bill circulating in Congress to create national requirements for data breach notification could be the vehicle used to win political support for a compromise from lawmakers supporting the divergent interests of the business community and privacy advocates.
"This needs work, this needs tinkering, but this might be what a compromise bill looks like," Lisa Sotto, a privacy and cybersecurity law partner at Hunton & Williams, says after reviewing the draft of the Data Security and Breach Notification Act of 2015.
Reps. Marsha Blackburn, R-Tenn., and Peter Welch, D-Vt. began circulating the discussion draft of the legislation on March 12. If enacted, the bill would usurp 47 state data breach notification laws with a single federal statute. The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade will hold a hearing March 18 on the proposed legislation.
Welch says he expects changes will be made to the draft before it comes up for a vote. "While this draft bill is far from perfect, it is an important step in the right direction," he says, adding that he will work with his colleagues "to make practical improvements to it as it works its way through the legislative process."
Privacy Protections Questioned
Still, not every lawmaker is on board. Two senior Democrats on the House Energy and Commerce Committee - Reps. Frank Pallone of New Jersey and Jan Schakowsky of Illinois - have expressed disappointment in the legislation. "We have numerous concerns about the weakening of consumer protections overall, as well as the dilution of protections for customers of telecommunications and cable services," the lawmakers say in a statement. "We will continue to work for legislation that provides the strongest possible safeguards and protections for American consumers." The two representatives did not specify explicit provisions in the bill they found objectionable.
But data privacy and security lawyer FranÃ§oise Gilbert of the IT Law Group says the measure would eliminate some of the privacy protections provided by state data breach laws. "I see mostly weaknesses," Gilbert says the draft legislation. "The scope of coverage is limited, the requirements are limited, the rights of the individuals are limited and the definitions are so vague that companies will continue to struggle in trying to implement the requirements."
Differing Definitions of What Constitutes PII
Gilbert points out that California's data breach disclosure law, one of the toughest in the nation, explicitly cites user identification or an email address when coupled with a password as being considered personally identifiable information when used to access an online account, something the draft bill doesn't provide.
A provision in the draft bill states that a combination of user name and password would be considered PII if it's required to be used by an individual "to obtain money, or purchase goods, services or any other thing of value." It doesn't say the combination of user name and password are deemed as PII if they're used to gain access to an online account for nonfinancial purposes.
However, Sotto says the term "any other thing of value" in the draft bill is amorphous and might be interpreted to include reputation - something she says privacy advocates would like.
No Safeguards for Paper Records
Some state laws extend breach notification requirements to non-digital documents, but the draft legislation does not cover paper records. Enactment of the draft measure would void those paper-document protections. "Think, for example of the numerous reports of individuals who discover boxes full of account's record - tax returns and related information - unshredded in landfills," Gilbert says.
Still, the main thrust of the bill is to establish a single, national data breach notification law. Business groups complain that it's costly to comply with more than four dozen laws, a point with which President Obama agrees.
The draft bill also would require the notification of a breach only if a "reasonable risk" exists that the security incident would result in identity theft, economic harm or financial fraud to individuals whose information was exposed. Business groups generally favor such narrow notification rules; privacy advocates mostly dislike such a provision.
Sotto says the draft legislation, if enacted, also would void Massachusetts regulations that require businesses to adhere to prescriptive security measures.
Requiring 'Reasonable' Security Measures
Sponsors Blackburn and Welch say their bill would for the first time set a national standard for businesses and not-for-profit organizations to implement and maintain "reasonable security measures and practices" to protect and secure personal information, though the legislation doesn't prescribe specific measures and practices.
The draft bill gives the Federal Trade Commission and states' attorneys general the authority to enforce the law. Each violation would be subject to a fine of up to $2.5 million. Organizations that must comply with the Health Insurance Portability and Accountability Act's breach notification requirements would be exempt for the draft legislation.
Among the provisions regarding breach notification, the draft legislation would require organizations to conduct a good faith investigation after discovering a breach to determine if there is a reasonable risk of identity theft, economic loss or harm or financial fraud.
30 Days to Notify
The bill also would require notification to consumers no later than 30 days after the organization has taken "necessary measures" to determine the scope of the breach and restored the reasonable integrity, security and confidentiality of the data systems.
State laws vary on when organizations must notify consumers of a breach; many simply state that notification must be made in a reasonable amount of time; others have specific time limits.
Even the requirement of notifying consumers after fixing a breach won't be easy for many businesses to implement, Sotto says. "It's hard for companies to notify 30 days after they've taken reasonable measures because they still have to parse the data of sometimes many, many hundreds of thousands of people, to figure out where they are and how to notify them," she says. "But it seems to be a reasonable compromise."