breach notification

By Ani Gevorkian

The issues of data breach notification and data security issued received a fair amount of attention in the House this week:  On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep.  Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release of another.

The bill approved on Wednesday—the Data Security and Breach Notification Act—is sponsored by Reps. Michael Burgess (R-TX),  Marsha Blackburn (R-TN),  and Peter Welsh (D-VT).  It would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach.  It would also empower the Federal Trade Commission (“FTC”) to enforce the bill’s rules.
Continue Reading House Focuses on Data Breach Bills

By Caleb Skeath

Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives.  The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as well as provisions requiring notification to affected individuals in the event of a data breach.  Meanwhile, Sens. Dianne Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR), and Bill Nelson (D-FL) introduced a similar bill, the Data Security and Breach Notification Act (S. 177) this week the Senate.  The Senate bill is also a re-introduction of a previous bill, which would provide FTC-enforced security standards and individual breach notifications.

Although the text of the DATA Act has not yet been released, a release from the bill’s sponsors stated that the bill will be “substantially similar” to prior versions.  According to the release, the bill will define “personal information” to include an individual’s name in connection with (1) a Social Security number, (2) a driver’s license, passport, or other government-issued identification number, or (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account.  Commercial entities that own or process personal information would be required to implement effective information security procedures and policies to safeguard that information.  Following a breach, entities would have to notify the affected individuals, in addition to the FTC.  The FTC and state attorney generals would enforce the provisions of the bill, which would allow for civil penalties of up to $5 million for violations.  The bill’s sponsors have announced a public briefing on the bill on February 6, during which they will provide more information about the bill’s provisions.
Continue Reading Data Breach Notification Bills Introduced in House and Senate

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

Tomorrow at 10:00 a.m., the House Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing to determine what elements should be included in federal data-breach legislation.  The following witnesses are scheduled to testify:

  • Elizabeth Hyman, Tech America Executive Vice President of Public Policy
  • Jennifer Glasgow, Acxiom Chief Privacy Officer


Continue Reading House Subcommittee to Hold Hearing and Begin Drafting Data Breach Bill

The Article 29 Data Protection Working Party (“Working Party”), the independent European advisory body on data protection and privacy, comprised of representatives of the data protection authorities of each of the EU member states, the European Data Protection Supervisor (the “EDPS”) and the European Commission, has identified a number of significant data protection challenges related to the Internet of Things. Its recent Opinion 08/2014 on the Recent Developments on the Internet of Things (the “Opinion”), adopted on September 16, 2014 provides guidance on how the EU legal framework should be applied in this context. The Opinion complements earlier guidance on apps on smart devices (see InsidePrivacy, EU Data Protection Working Party Sets Out App Privacy Recommendations, March 15, 2013).
Continue Reading Internet of Things Poses a Number of Significant Data Protection Challenges, Say EU Watchdogs

Last Friday, Florida’s governor signed into law the Florida Information Protection Act of 2014 (“FIPA”), a bill repealing Florida’s existing data security breach notice law and replacing it with what will be one of the nation’s most stringent breach notice laws.  This post summarizes the key aspects of the new law, which becomes effective July 1, 2014

The Definition of “Personal Information” Now Includes Online Account Credentials

FIPA broadly defines that type of information that, if breached, could require a company to provide notice to consumers and (as discussed below) regulators (“personal information”).  Going beyond the narrow scope of information protected by most state data breach laws, FIPA’s definition of personal information includes “a user name or e-mail, in combination with a password or security question and answer that would permit access to an online account.”  (California’s breach notice law also defines covered information to include online account credentials.) 

Notice to Individuals Must Now Be Provided Within 30 Days of the Incident

The new law states that any required notices to individuals generally must be provided “no later than 30 days after the determination of a breach or reason to believe a breach occurred.”  This represents a shortening of Florida’s existing 45-day notice requirement. Continue Reading Florida Enacts Stringent Breach Notice Law

Last week, Kentucky governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  The law requires companies that suffer a data breach to provide notice of the breach to Kentucky residents “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Importantly, the notice requirement is triggered only by an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.” The law defines “personally identifiable information” as “an individual’s first name or first initial and last name” in combination with any of the following information:

  • The individual’s Social Security Number;
  • The individual’s driver’s license number; or
  • The individual’s account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to the individual’s financial account.

The required notice must be provided “in the most expedient time possible and without unreasonable delay,” although notification “may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.”  The law allows for either written or electronic notice.  Certain types of substitute notice—such as posting on the company’s website—are permitted if the cost of providing notice would exceed $250,000, if there are more than 500,000 affected individuals, or if the company does not have sufficient contact information.Continue Reading Kentucky Enacts Data Breach Notification Law

Iowa’s governor recently signed into law S.F. 2259, which amends Iowa’s data breach notification law.  Under the amendment, entities that suffer breaches of personal information that are required to notify more than 500 state residents will also be required to notify the state’s attorney general.  The notice to the

Continue Reading Iowa Amends Breach Notice Law to Require Notice to State AG

Last week, the Article 29 Data Protection Working Party published a non-binding Opinion on data breach notifications, titled Opinion 03/2014 on Personal Data Breach Notification (the Opinion).  The Opinion provides helpful new guidance to companies seeking to understand whether or not notifications about a breach must be made to European privacy regulators and/or affected individuals in the wake of a data breach.  Although the Opinion’s guidance is non-binding, and is not based on clear legal requirements, it is nevertheless likely to shape enforcement practices both inside and outside the EU, given the standing and influence of the Article 29 Working Party.

This post discusses key aspects of the Opinion.Continue Reading EU Article 29 Working Party Publishes Guidance on Data Breach Notification

On Monday, the International Association of Privacy Professionals (IAPP) hosted a discussion that featured state and federal privacy regulators.  The panel included Maneesha Mithal, Associate Director for the Division of Privacy and Identity Theft at the Federal Trade Commission; Marty Jackley, Attorney General of South Dakota; and Bill Sorrell, Attorney General of Vermont.  The panel was intended to discuss privacy generally, however, the conversation quickly focused on the latest hot topic:  data breach. 

It was acknowledged at the outset of the conversation that the important role state attorneys general play in regulating privacy, both individually and in tandem, is often overlooked.  Ms. Mithal suggested that, for example, while the EU is familiar with the FTC’s enforcement authority and the existence of some federal law, the “story often not told” is that there are “cops on the beat,” and specifically, that the United States has robust state enforcement of privacy protections.Continue Reading A Conversation with State and Federal Privacy Regulators Turns to State Data Breach Enforcement