Sen. Pat Toomey (R-PA) recently introduced a bill in the United States Senate that would establish a federal breach notification requirement for certain companies and preempt state breach notification laws that are currently in effect for 46 states.  The Data Security and Breach Notification Act of 2012, S.3333, would require companies that “collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security.”  Toomey cited the “messy patchwork of 46 different state laws” that companies must account for in responding to a data breach, and asserted that, by preempting those laws, his bill would “establish a single reasonable standard for information security and breach notification practices.”

The bill applies to entities that are subject to the Federal Trade Commission’s jurisdiction under Section 5 of the FTC Act, and “common carriers subject to the Communications Act of 1934.”  S.3333 would not apply to financial institutions that are covered under Title V of the Gramm-Leach-Bliley Act or covered entities that are subject to breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The bill contains two basic requirements.  Entities must (1) “take reasonable measures to protect and secure data in electronic form containing personal information,” and (2) notify individuals of security breaches that affect their personal information.  The notification may be in writing, by telephone, or by email, and must include the estimated date of the breach, “a description of the personal information that was accessed or acquired…as part of the security breach,” and contact information for the company.  When a company reasonably believes that a breach affects more than 10,000 people, it must also notify the Federal Bureau of Investigation or the Secret Service.   If notification would impose an “excessive cost” on the company or it lacks sufficient contact information, the company could comply with the statute by providing substitute notice through its website or other publication.  The bill would cap damages for a single breach of security or for violations resulting from the same act or omission at $500,000.

The bill’s breach notification provisions are less restrictive than some of the state breach notification laws that it would preempt.  For example, while some states establish a “strict liability” requirement that companies notify consumers of security breaches regardless of perceived harm, Sen. Toomey’s bill only requires companies to notify consumers when they reasonably believe that the breach “has caused or will cause” harm, such as identity theft or other financial harm. S.3333 does not include specific timeframes for notification, and instead requires notification “be made as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached.”  While this standard is consistent with most state breach notification laws, the bill would preempt a handful of state statutes that do impose a maximum time period for reporting a breach.  For example, Vermont’s breach notification statute requires companies to notify the attorney general within 14 days and to notify consumers within 45 days of discovery. Sen. Toomey’s bill also does not provide for a private right of action, and would preempt private rights of action that are currently available in some states. 

The legislation has four co-sponsors: Sens. Roy Blunt (R-Mo.), Jim DeMint (R-SC), Dean Heller (R-NV) and Olympia Snowe (R-ME).