Yesterday, the Senate Judiciary Committee approved legislation introduced by Committee Chairman Patrick Leahy (D-VT) (S. 1151) that would require firms to develop comprehensive data security programs and would impose a federal breach notice obligation on firms. The same day, the Committee also approved amended versions of breach notification measures introduced by Sen. Dianne Feinstein (D-CA) (S. 1408) and Richard Blumenthal (D-CT) (S. 1535). All three bills were approved by the Committee along party lines.
As we have discussed in previous posts, S. 1151 would require business entities to develop a data privacy and security plan for protecting sensitive personally identifiable information, require agencies and business entities to notify U.S. residents in the event of a security breach involving such information, and impose criminal penalties for intentionally and willfully failing to provide notice of a security breach. Yesterday, through an amendment offered by Sen. Al Franken (D-MN), the Committee added a data minimization principle to S. 1151. The original version of the bill also contained separate privacy requirements for data brokers, but a substitute amendment deleting that title was adopted by the Committee last Thursday.
Separate data security bills authorized by Sens. Feinstein and Blumenthal were approved by the Committee yesterday during the same meeting. The breach notification components of both bills share certain similarities with S. 1151:
- The Senate bills define personal information to include certain data elements that are not covered in Rep. Mary Bono Mack’s (R-CA) breach notice legislation (H.R. 2577). It would cover, for example, an individual’s name plus biometric data or an individual’s name plus both the person’s date of birth and his or her mother’s maiden name.
- The bills would relieve businesses from the obligation to notify consumers if there is no significant risk of harm to individuals, but would require businesses to document their risk of harm analysis in a written risk assessment submitted to law enforcement.
- The legislation would give the Attorney General the primary enforcement role, but would authorize the Federal Trade Commission to craft rules as to appropriate data security controls and safeguards. In contrast, H.R. 2577 would give the FTC the primary enforcement role.
Senator Feinstein’s bill is limited to breach notification obligations and does not include information security requirements. (More details about Senator Feinstein’s bill, as introduced, are available here.) Sen. Blumenthal’s legislation goes beyond S. 1151 in important respects: as we discussed here, S. 1535 would authorize private rights of action — with attendant substantial civil penalties — for individuals to pursue in the event they are aggrieved by a violation of the Act’s data security protections or breach notification requirements. Senator Blumenthal’s legislation also would limit the ability of businesses to direct disputes to arbitration in advance of a breach. And, the bill would impose criminal penalties for certain online data collection practices conducted without the consent of individuals.
The version of S. 1151 approved by the Committee also includes an amendment proposed by Sen. Chuck Grassley (R-IO), which clarified that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of Internet terms of service agreements or employment agreements restricting computer access.
While the Committee’s actions advances these pieces of legislation, it does little to clarify the landscape and prospects for data security legislation in this term. There remain at least eight separate active legislative proposals in the House and Senate. Barring dramatic developments, it seems unlikely that the Congress will resolve these various proposals and gain consensus over a single piece of legislation as we move into an election year.