Significant Federal and State Legislative Activity Concerning Data Security, Breach Notification, and Related Privacy Issues Continues
In the wake of several high-profile data breaches in 2005, state and federal legislative activity to address consumer notification of security breaches and other privacy issues has continued at a sharp pace. In the spring we reported that six states, Arkansas, Georgia, Indiana (applies to state agencies only), Montana, North Dakota, and Washington, had recently enacted consumer notification laws. See News Update dated May 19, 2005. Since then, the governors of an additional ten states, Connecticut, Delaware, Florida, Illinois, Louisiana, Maine, Minnesota, Nevada, Rhode Island, and Texas have signed or allowed similar legislation to become law. The New Jersey and New York legislatures have also passed data breach notification legislation that has been sent to the respective governors. Most of these state laws are patterned after the landmark data breach notification legislation passed by California in 2003 (See News Update dated June 13, 2003), which was widely credited with forcing the security breach disclosures made by ChoicePoint, LexisNexis, and others.
The differing provisions in the state laws have created a patchwork of inconsistent requirements that raise substantial compliance concerns for businesses that maintain or use personal information. These concerns, as well as widespread news reports of data breaches, and increasing consumer worries over privacy protection and identity theft, have also prompted the introduction of new federal legislation. Although various data security bills were introduced in Congress in this spring, only recently have legislators introduced bipartisan bills having a greater likelihood of garnering enough support for passage. Specifically, on June 29, 2005, Senators Spector and Leahy introduced S. 1332, the Personal Data Privacy and Security Act of 2005 (“PDPSA”) in the Judiciary Committee and on July 14, 2005, a bipartisan group of Senators introduced S. 1408, the Identity Theft Protection Act (“ITPA”) in the Commerce Committee. In the House, a bipartisan “discussion draft” bill is circulating that will likely be modified further prior to introduction in the Energy and Commerce Committee.
S. 1332 – Personal Data Privacy and Security Act of 2005
The PDPSA is a lengthy (over 90 pages) and comprehensive data security and privacy bill containing breach notification provisions, extensive regulation of data brokers, requirements for businesses to implement a data and security program, and various other provisions such as new restrictions on the use of social security numbers. The PDPSA’s “security breach” notification provisions apply to all businesses engaged in interstate commerce that in any way use or store personally identifiable information in electronic or digital form. Similar to many state laws, a “security breach” is a “compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to sensitive personally identifiable information.” “Sensitive personally identifiable information” means “any name or number used in conjunction with other information to identify a specific individual.” “Other information” includes a number of items such as name, social security number, date of birth, unique biometric data, unique electronic identification number, address or routing code, or telecommunication identifying information or access device. However, unlike the laws in California and other states, there is no exemption for encrypted data.
Under the PDPSA, whenever there is a security breach, a business must “expeditiously and without unreasonable delay,” notify the individual whose information was compromised (if specific individuals can be identified). The notice must detail the nature of the sensitive personally identifiable information impacted by the security breach and contain notice of certain rights and resources available to the individual. If the security breach involved more than 1,000 individuals, the business shall also promptly notify every credit reporting agency (“CRA”) that compiles and maintains files on consumers on a nationwide basis, such as Equifax, Trans Union and Experian. If the breach impacts more than 10,000 individuals or a database or system with over one million people, the business must, within 14 days of discovery, notify the Secret Service and the state Attorney General of each state affected by the security breach. The individual and CRA notices can be delayed if they would impede a criminal investigation. In addition, whenever security breach notification to individuals is required, the business must provide those individuals monthly access to their credit report for up to one year and credit monitoring services for up to one year. Significantly, the PDPSA makes an intentional and willful concealment of a security breach a crime punishable up to 5 years in prison and/or fine.
Although encrypted data is still covered by the PDPSA, the bill contains significant exceptions to the security breach notification requirements that go beyond the exceptions in California and many other states. If the business conducts a risk assessment in consultation with state and federal law enforcement and concludes that the risk of identity theft or other harm to those individuals whose information was compromised is minimal, then no notice to individuals or consumer reporting agencies is required. Alternatively, if the information compromised cannot be used to perpetrate a fraud, the business has a security program in place that blocks any unauthorized transactions prior to an individual’s account being charged, and the business has a policy in place (that it follows) to notify individuals of security breaches that result in fraud or unauthorized transactions, no notice is required.
The PDPSA’s data privacy and security program requirements apply to any business engaged in interstate commerce that in any way use or store personally identifiable information in electronic or digital form on more than 10,000 persons in the United States (excepting financial institutions subject to the Gramm Leach Bliley Act and “covered entities” subject to HIPAA). Businesses subject to the PDPSA would be required to implement a comprehensive personal data privacy and security program and conduct ongoing risk assessments and vulnerability testing similar to the Gramm-Leach-Bliley Interagency Guidelines Establishing Standards for Safeguarding Customer Information.
Other aspects of the PDPSA include prohibiting businesses from requiring individuals to provide their social security numbers to obtain goods or services (subject to certain exceptions) or using social security numbers as account numbers. Individuals cannot be denied goods or services for failing to provide a social security number or for refusing to allow it to be used as an account number. Certain other requirements apply to “data brokers,” such as ChoicePoint, that regularly collect, transmit, or otherwise provide personally identifiable information on individuals that are not their own customers or employees. In addition, the PDPSA enhances penalties for identity theft and govern certain aspects of the Federal Government’s treatment of its contractors.
The PDPSA contains significant preemption provisions that would nullify many state data breach notification laws and other similar provisions. The PDPSA also includes steep penalties. For example, the penalties for violation of the data breach notification provisions include fines of up to $5,000 per day per violation and up to $55,000 total per day with potential doubling of these fines for intentional or willful violations.
S. 1408 – Identity Theft Protection Act of 2005
Like the PDPSA, the ITPA has data security breach notification provisions, requirements for businesses to improve protection of sensitive information, and restrictions on the use of social security numbers. It also contains provisions allowing individuals to freeze credit reports. The ITPA’s “security breach” notification provisions apply to any business that “acquires, maintains, or utilizes ‘sensitive personal information.’” Although the definition of security breach is generally similar to many state laws, it is not quite as broad as others – a security breach only occurs if there is “a reasonable risk of identity theft to an individual.” While this may eliminate burdensome notice requirements in instances of mere unauthorized access, it still may be difficult for a company to determine whether there is such a reasonable risk after determining that unauthorized access occurred. “Sensitive personal information” is an individual’s name, address, or telephone number in conjunction with another data element such as a social security number, financial account number combined with a password or security account, consumer credit report, genetic or biometric information, or an individual’s mother’s maiden name. Like the PDPSA, there is no exemption for encrypted data.
The ITPA’s data breach notification provisions are generally similar to the PDPSA’s with some minor differences. One significant difference is that the FTC is given extensive rulemaking authority. Under the ITPA, the FTC will establish rules governing the methods of notification and the contents of the notices. In addition, the FTC is granted broad rulemaking authority to establish regulations requiring businesses to develop and implement information security programs, the verification of credentials for any third party seeking to obtain sensitive personal information from a business, and record disposal procedures. The ITPA also contains a prohibition on the solicitation of social security numbers and contains credit report security freeze provisions applicable to consumer credit reporting agencies. The ITPA also contains significant preemption provisions and maximum fines of $11,000 per individual and eleven million dollars total for all individuals regarding the same violation.
House Energy and Commerce Committee Draft Bill
The draft bill being circulated by members of the House Energy and Commerce Committee focuses on information security requirements and security breach notification. The draft bill gives the FTC more rulemaking authority than any other introduced bill. The FTC would be responsible for implementing regulations governing information security practices and treatment of personal information as well as the method and content of security breach notifications. It leaves to the FTC the responsibility of defining the term “breach of security.” The FTC Chairman has stated she supports a definition requiring notice only when there is a “significant risk” of identity theft – a higher threshold than in any pending bill. However, the draft does specify that the term shall mean at a minimum, the compromise of data when “there is a reasonable basis to conclude” its acquisition by an unauthorized person may result in identity theft, a standard not unlike the other bills. The bill would also impose additional requirements on data brokers regarding their security policies and individuals’ access to their personal information. Like the PDPSA and the ITPA, there is no exemption for encrypted data. The draft bill also contains strong preemption provisions.
The proliferation of state laws regarding data breach notification and data protection increases the likelihood that there will be new federal legislation, if not this year then next, with at least some type of preemption provisions. In addition to the federal legislation discussed above, there are at least five other bills pending in Congress covering various aspects of data protection or breach notification and more may be forthcoming. The specifics of any ultimate federal legislation on these issues will likely have a profound effect on a company’s information security and disclosure practices.
If you would like further details or guidance concerning existing state or federal privacy and security laws or legislation that has been proposed in the states or Congress, please contact us.