As The Hill and other news outlets are reporting, Sen. Richard Blumenthal (D-CT) — who previously was one of the most active state attorneys general on privacy and data security issues before joining the Senate in 2011 — has introduced data protection legislation. This will be the eighth breach notification bill introduced on Capitol Hill during the 113th Congress.
The breach notification components of Sen. Blumenthal’s draft bill share some similarities with legislation introduced by Sen. Patrick Leahy (D-VT) (S. 1151):
- The legislation would give the Attorney General the primary enforcement role, but would authorize the Federal Trade Commission to craft rules as to appropriate data security controls and safeguards.
- Notice to the FBI and Secret Service would be required within 14 days of discovering a breach and 48 hours before notifying any individuals for any breach involving a certain number of individuals or a database of a certain size.
- Businesses would be require to notify individuals of a breach without unreasonable delay, but in any event within 60 days of discovering a breach.
- Like S. 1151, the Blumenthal legislation would relieve businesses from the obligation to notify consumers if there is no significant risk of harm to individuals, but would require businesses to document their risk of harm analysis in a written risk assessment submitted to law enforcement.
However, there apparently are a number of significant differentiators between Senator Blumenthal’s draft legislation and the other bills that have circulated. These include providing a private right of action — with attendant substantial civil penalties — for individuals to pursue in the event they are aggrieved by a violation of the Act’s data security protections or breach notification requirements. The draft bill also would create a presumption of commonality for class certification purposes and limit the ability of businesses to direct disputes to arbitration in advance of a breach. And, the bill would impose criminal penalties for certain online data collection practices conducted without the consent of individuals.