On January 12, 2015, during a speech before the Federal Trade Commission (FTC), President Barack Obama announced that he would propose legislation to create a national, uniform data breach notification law. The White House later released the full text of the proposed bill. The President highlighted that a national breach notification law would benefit both consumers and notifying companies by pre-empting and streamlining the current system: “right now almost every state has a different law on this and it’s confusing for consumers and it’s confusing for companies – and it’s costly too, to have to comply with this patchwork of laws.” There are currently 47 state breach notification laws (with Alabama, New Mexico and South Dakota as the holdout states) as well as separate statutes in the District of Columbia, Guam, Puerto Rico and the Virgin Islands. The proposed bill would require companies to notify affected individuals within 30 days of discovering a breach. Companies would also be required, in some circumstances, to notify a federal entity that will be designated by the Secretary of Homeland Security.
Under current state laws, companies must notify affected individuals and in some instances state regulators, such as Attorneys General, after discovering a “breach” that compromises “personal information,” as those terms are defined by each statute. Generally, the statutes define “personal information” as an individual’s name plus an additional sensitive data element, such as a Social Security Number, driver’s license number, or credit card data; however, the definitions vary by state. The proposed bill includes a substantially broader definition of “personal information.” The bill defines “sensitive personally identifiable information” in several ways, including as an individual’s name, in addition to two of the following elements: an individual’s “home address or telephone number; [m]other’s maiden name; [or] month, day, and year of birth.”
In a significant departure from most state laws, under the proposed bill several data elements, on their own, satisfy the definition of “sensitive personally identifiable information,” which means that they need not be connected to an individual’s name to trigger notification obligations. Importantly, one such data element is an individual’s “credit or debit card number.” Other elements that, standing alone, trigger the statute include a “a non-truncated social security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number;” “unique biometric data such as a finger print;” and a “user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.” Currently, no state law requires notification when an account number, credit card number, driver’s license or passport number alone is compromised and only California and Florida require notification when a user name or e-mail address and password are compromised in a breach. In addition, the FTC is empowered to amend the definition of sensitive personally identifiable information “to the extent that such amendment will not unreasonably impede interstate commerce, and will accomplish the purposes of this title.”
Under the proposed bill, a “security breach” includes both the unauthorized access to or acquisition of sensitive personally identifiable information. Currently, the states are somewhat divided on whether unauthorized access alone constitutes a security breach.
The proposed bill does provide three important exemptions to notifying individuals of a breach. First, the statute does not require notification if “there is no reasonable risk of harm or fraud” to an individual. This exemption will only apply if a valid risk assessment is conducted by the business entity invoking the exemption, the results of which are shared with the FTC. Only some of the current “patchwork” of state laws includes such a “risk of harm” exemption – and none require business entities to provide the results of their risk assessment to the FTC. Second, the statute would not apply to covered entities and business associates subject to HIPAA and its data breach notification requirements. Only some state laws currently exempt such entities. Third, and unique to the proposed national bill, notification obligations only attach to an entity that “uses, accesses, transmits, stores, disposes of or collects” information on “more than 10,000 individuals during any 12-month period.”
The proposed bill also takes steps to address a common issue found in state laws: identifying whether the breached entity or the owner or licensee of the breached information (if different) is required to notify affected individuals. The law clarifies this issue by requiring that the breached entity notify affected individuals regardless of whether they “own or license” the information in question. If the breached entity does not own or license the data they are required to notify the owner or licensee of the incident. Notification to an owner or licensee, however, does not absolve the breached entity of its obligation to notify affected individuals. The proposed bill states that a “business entity obligated to give notice” under the act “shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach . . . provides such notification.” (emphasis added). The act is also explicit that it does not “prevent or abrogate an agreement” that transfers a notification obligation to another party.
Notably, the proposed bill would include nonprofit organizations in the definition of business entities subject to the proposed Act
Under the proposed bill, both state Attorneys General and the FTC would have enforcement powers. The President is expected to address Cybersecurity issues and this proposed bill during his State of the Union Address on Tuesday, January 20th.