On March 12, 2015, bipartisan members of the powerful House Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing, and Trade announced draft legislation to address increasing concerns about data security vulnerabilities and challenges.
The "Data Security and Breach Notification Act" (the "Act"), authored by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Representative Peter Welch (D-VT), would create a national standard for safeguarding electronic personal information, and mandate notification and reporting of possible breaches, specifically preempting current state laws.
Here are some highlights of the discussion draft:
What is Personal Information under the Act?
Personal Information is broadly defined to include a person's name coupled with (i) a driver's license or other government-issued unique identification number, or (ii) two of the following: home address or telephone number, mother's maiden name, or date of birth. Financial account information, access codes, biometric data, and certain information associate with Voice Over Internet Protocol is also defined as Personal Information under the Act.
Who is covered under the Act?
Any person or legal entity that acquires, maintains, stores, sells or otherwise uses Personal Information in an electronic form that is under the jurisdiction of the Federal Trade Commission's unfair and deceptive trade practices authority is a "covered entity" under the Act. The definition of covered entity also includes any non-profit and certain common carriers. This is a very broad definition and would include most businesses. It is important to note that a "covered entity" under the Act is not the same as a HIPAA Covered Entity.
What must covered entities do?
A covered entity must implement and maintain "reasonable" security measures and practices to protect electronic personal information from being improperly accessed. The reasonableness of specific measures and practices will vary based on the type of covered entity and the nature of its activities with respect to personal information. While very general, the Act creates a national standard for protecting personal information across all industries.
Covered entities must also conduct prompt investigations of possible data breaches. Unless the covered entity determines that there is "no reasonable risk" of harm to individuals whose personal information was breached, it must notify every US resident affected. If more than 10,000 individuals were involved, the Act would require the covered entity to notify the Federal Trade Commission (FTC) and either the US Secret Service or the FBI.
Who can enforce the Act?
A violation of the Act would be an unfair and deceptive trade practice under the FTC Act. The FTC would have enforcement power over covered entities. Importantly, every State Attorney General would be granted legal authority to enforce the Act in federal court on behalf of individuals whose personal information was breached. However, individuals would not be allowed to sue covered entities directly.
What are the penalties for violations of the Act?
The penalties are substantial. If a covered entity fails to implement reasonable security measures or fails to promptly notify individuals of a possible breach, the FTC will treat this as an unfair and deceptive trade practice. The FTC can impose administrative fines and penalties and can order that the covered entity comply with the Act.
The Act specifically empowers state Attorneys General to sue covered in federal court and seek a court order to compel the covered entity to comply with the Act, seek injunctive relief to stop suspected violations of the Act, and seek civil money penalties of up to $2.5 million for each failure to protect data and another $2.5 million for each single breach. Even with these caps, the civil money penalties can add up quickly.
How does the Act affect HIPPA, GLBA, and other privacy laws?
The Act specifically preempts all "related" state data security laws. The Act specifically does not preempt HIPAA or Gramm Leach Bliley. The effect on other federal laws has yet to be determined.
What is next?
The President has identified the need for national data privacy legislation and has proposed his own legislation to address this need. There will, no doubt, be other bills introduced into Congress to address this national priority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
