Last month, the Senate Commerce, Science, and Transportation Subcommittee held a hearing on S. 3742, the “Data Security and Breach Notification Act of 2010.” This legislation was introduced by Senator Mark Pryor (D-AR) and Senator John D. Rockefeller (D-WV). It is the Senate version of data security legislation sponsored in the House of Representatives by Rep. Bobby Rush (D-IL), which passed the House by voice vote on December 8, 2009 (H.R. 2221). Both bills would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.
Click below for a summary of the key provisions of the Pryor-Rockefeller bill.
- Scope. The legislation covers business entities and nonprofit organizations that acquire, maintain, or utilize personal information. Personal information is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.” Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers.
- Breach Notification. Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed. Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
- Timing. Each notification is required not later than 60 days following discovery of the breach unless the entity can show that one of several exceptions is satisfied.
- Content Requirement. Consumer notifications, which are generally required to be written, but may be electronic in certain circumstances, must include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act requires the covered entity to furnish); and contact information for the major credit reporting agencies and the FTC.
- Risk of Harm. There is no notification requirement if an entity determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct. This is presumed to be the case if the data is encrypted or otherwise unreadable.
- Service Providers. Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.
- FTC Regulations. The FTC would be required to promulgate regulations providing for the establishment and implementation of information security policies and procedures. The rules must require that companies establish processes to monitor for and mitigate security breaches and vulnerabilities and to dispose permanently of electronic and non-electronic data.
- Information Brokers. Additional obligations would be applicable to information brokers. This is a defined term in the legislation, which generally covers commercial entities whose business is to collect, assemble, or maintain personal information about individuals, who are not current or former customers of the entity, to sell such information to nonaffiliated third parties. The heightened obligations applicable to information brokers include an obligation to assure the accuracy of information collected about individuals that specifically identifies the individual and to make available a mechanism for individuals to review such information at least once per year.
- Enforcement. A violation of the Act would be treated as an unfair and deceptive act or practice enforceable by the same means and powers as other violations of the FTC Act. Absent intervention from the FTC, state attorneys general would also have authority to bring civil actions on behalf of residents and would be authorized to obtain damages, restitution, or other compensation plus statutory civil penalties (the number of days of noncompliance or number of violations multiplied by an amount not greater than $11,0000, but not to exceed $5 million for each violation).
- Preemption. The Act would preempt state laws that require information security practices for personal information similar to those in the Act and would preempt state breach notification laws. It specifically preserves state consumer protection law; trespass, contract, and tort law; and other state laws related to fraud.