In the wake of the high profile retailer data breaches involving Target and Neiman Marcus, among others, Capitol Hill is re-engaging on data security breach legislation. Among other activity in Congress, Senators John D. Rockefeller IV (D-West Virginia), Dianne Feinstein (D-California), Bill Nelson (D-Florida), and Mark Pryor (D-Arkansas) recently introduced the Data Security and Breach Notification Act of 2014, which tracks legislation that Senator Rockefeller had introduced in prior Congresses. The bill would require the Federal Trade Commission (FTC) to promulgate federal data security standards, establish federal data breach notification requirements, criminalize concealing breaches of security involving personal information, provide potentially harsh civil penalties, and preempt state data security and breach notification laws.
- Information Security Standards. Under the Act, the FTC would promulgate information security regulations that require “covered entities” (commercial entities and non-profit organizations) to (1) maintain an information security policy addressing the collection, use, and disclosure of personal information; (2) appoint a security officer responsible for such policies; (3) establish a process to identify and assess reasonably foreseeable system vulnerabilities; (4) adopt mitigation measures to address any identified vulnerabilities; and (5) dispose of or destroy electronic data and paper documents in a secure manner. Entities that are subject to the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Technology for Economic and Clinical Health (HITECH) Act and that are in compliance with information security requirements under those statutes would be deemed in compliance with any information security standards under the proposed Act.
- Breach Notification. The breach notification requirement would impose an obligation on covered entities to notify every citizen or resident of the United States whose personal information is reasonably believed to have been compromised within 30 days following discovery of the data breach. In some cases, covered entities also would be required to notify the FTC. Third parties maintaining personal information on behalf of a covered entity and certain service providers would have an obligation to notify covered entities, and for breaches affecting more than 5,000 individuals and involving certain types of personal information, covered entities would be required to notify credit reporting agencies. The Act provides detailed guidance on the substance and form of notifications, describes circumstances in which a substitute notification process is acceptable, and in certain cases requires that covered entities provide a free credit report to consumers.
- Covered entities would not be required to provide notification if they reasonably conclude that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. Under the Act, the FTC may issue rules establishing a presumption that there is no reasonable risk of identity theft if the covered entity uses encryption or similar technologies. In other cases, covered entities may be deemed to be in compliance with the proposed Act if they are subject to and complying with breach notification requirements under GLBA or the HITECH Act.
- In certain situations, companies also must notify a federal agency of a breach within 10 days of discovery and at least 3 business days before notifying individuals. The federal agency breach notification requirement would apply when, for example, more than 10,000 individuals are affected by a breach or a database or network of databases including personal information of more than 1 million individuals has been compromised. The federal agency to be notified would be appointed by the Department of Homeland Security.
- Enforcement and Penalties. Both the Federal Trade Commission and state attorneys general could enforce the requirements of the bill. Significantly, because the FTC could enforce violations of the information security provisions and data breach requirements as violations of a trade regulation rule, it would be able to impose civil penalties of up to $16,000 per violation. Moreover, state officials could impose civil penalties of up to $11,000 per day for violations of the information security provisions and up to $11,000 for each individual who is not notified in violation of the individual breach notification requirement. The Act would establish a cap on liability to state officials of $5 million for all violations of the information security program requirements and $5 million for all violations of the individual breach notification requirements that stem from a single incident. In addition, the U.S. Attorney General may impose civil penalties of up to $100,000 per day for failing to notify the appointed federal agency of a breach, with maximum penalties of $1 million for a single breach or $2 million for a single breach where there is willful or intentional conduct.
- Concealment of Breaches Involving Personal Information. The Act would criminalize concealing breaches involving personal information. This offense would be punishable by fines or up to five years imprisonment.
- Preemption. The Act also would preempt existing state information security laws and state data breach notification requirements, as applied to commercial entities subject to Section 5 of the FTC Act and non-profit organizations. A minority of states have statutes imposing baseline data security requirements on all companies that own or license personal information of state residents, with Massachusetts and Nevada having more detailed requirements. Forty-six states, plus the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have breach notification requirements.