By David Fagan & Libbie Canter

Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707).  During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make it out of the Senate Commerce Committee before the end of the session.  The legislation would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.

  • Scope.  The legislation covers persons engaged in interstate commerce, with certain additional requirements applicable to information brokers.  The provisions generally apply to the ownership or possession of personal information, which is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.”  Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers. 
  • Breach Notification.  Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed.  Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
    • Timing.  Under the bill, notification would be required not later than 60 days following discovery of the breach, with a limited number of exceptions available.
    • Content Requirement.  Consumer notifications would be required to include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act would require businesses to furnish); and contact information for the major credit reporting agencies and the FTC.
    • Obligation to Furnish Credit Products.  The bill indicates businesses will be required to provide or arrange for the provision of free consumer credit reports on a quarterly basis and credit monitoring to affected individuals for a period of two years following a breach.  The bill directs the FTC to promulgate rules with respect to the circumstances in which such credit products will be required to be offered.
    • Risk of Harm.  There is no notification requirement or other obligations on a business if it determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct.  This is presumed to be the case if the data is encrypted or otherwise unreadable, although the bill directs the FTC to promulgate regulations on the technologies that adequately render data unreadable.
    • Service Providers.  Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.

  • FTC Regulations.  The FTC would be required to promulgate regulations providing for the establishment and implementation of information security policies and procedures.  In accordance with the legislation, the promulgated rules would require companies to establish processes to monitor for and mitigate security breaches and vulnerabilities and to dispose permanently of electronic and non-electronic data.
  • Information Brokers.  Additional obligations would be applicable to information brokers.  This term is defined to cover commercial entities whose business is to collect, assemble, or maintain personal information about individuals to sell such information to nonaffiliated third parties.  The heightened obligations applicable to information brokers would include an obligation to assure the accuracy of collected information and to make available a mechanism for individuals to review such information at least once per year.  The legislation would also impose a prohibition on obtaining information through pretextual means.
  • Enforcement.  A violation of the Act would be treated as an unfair and deceptive act or practice enforceable by the same means and powers as other violations of the FTC Act.  Absent intervention from the FTC, state attorneys general would also have authority to bring civil actions on behalf of residents and would be authorized to obtain damages, restitution, or other compensation plus statutory civil penalties (the number of days of noncompliance or number of violations multiplied by an amount not greater than $11,000, but not to exceed $5 million for each violation).
  • Preemption.  The Act would preempt state laws that require information security practices for personal information similar to those in the Act and would preempt state breach notification laws.  It specifically preserves state consumer protection law; trespass, contract, and tort law; and other state laws related to fraud.

As we have previously posted, Congresswoman Mary Bono Mack (R-Cal.), who chairs the House Subcommittee on Commerce, Manufacturing and Trade, has indicated that she plans to introduce her own data security and breach notification legislation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.