Data security continues to be a hot issue on Capitol Hill, and just yesterday Attorney General Eric Holder urged Congress to create a “strong, national standard” for quickly reporting data breaches to consumers. Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice. The following bills have been introduced over the last year: Data Security and Breach Notification Act, Toomey (R-PA); Personal Data Privacy and Security Act, Leahy (D-VT); Data Security Act, Carper (D-DE) and Blunt (R-MO); Data Security and Breach Notification Act, Rockefeller (D-WV); and Personal Data Protection and Breach Accountability Act, Blumenthal (D-CT).
This post provides a side-by-side comparison of these five data-breach bills, which would impose varying standards and penalties. The comparison focuses on the breach-notification requirements of each bill; it does not discuss the standards that some bills would establish for internal security protocols to safeguard stored data.
Covered Information
- Toomey – “Personal information” means an individual’s first name or first initial and last name in combination with: (1) social security number; (2) driver’s license, passport, military identification, or other government-issued identification number; (3) financial account number with security code.
- Leahy – “Personally identifiable information” means any information in electronic or digital form that is a means of identification: (1) name, social security number, date of birth, government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) unique electronic identification number, address, or routing code; (4) telecommunication identifying information or access device.
- Carper – “Sensitive personal information” means the first and last name, address, or telephone number of a consumer, in combination with any of the following: (1) social security number; (2) driver’s license or equivalent state ID number; (3) taxpayer ID number. “Sensitive account information” means a financial account number with security code. Excludes public information.
- Rockefeller – “Personal information” includes: (1) non-truncated social security number; (2) financial account number with security code; (3) an individual’s first name or first initial and last name in combination with: (a) driver’s license, passport number, or alien registration number, or other similar government-issued number; (b) unique biometric data; (c) unique account identifier with security code; (d) or two of the following: (i) home address or telephone number; (ii) mother’s maiden name; (iii) month, day, year of birth.
- Blumenthal – “Sensitive personally identifiable information” means: (1) an individual’s first name or first initial and last name in combination with: (a) home address; (b) telephone number; (c) mother’s maiden name; (d) month, day, year of birth; (2) non-truncated social security, driver’s license, passport, or alien registration number or other government-issued number.
Risk of Harm Threshold
- Toomey – Unauthorized access reasonably believed to have caused or that will cause identity theft or other actual financial harm.
- Leahy – Significant risk that a breach has resulted in, or will result in, identity theft, economic loss or harm, or physical harm to affected individuals.
- Carper – Sensitive account or personal information reasonably likely to be misused in a manner causing substantial harm or inconvenience, which means material financial loss or the need for a consumer to expend significant time and effort to correct erroneous information in order to avoid material financial loss.
- Rockefeller – Reasonable risk of identity theft, fraud, or other unlawful conduct.
- Blumenthal – Significant risk that a security breach has resulted in, or will result in harm to affected individuals.
Notice to Consumers and Regulators
- Toomey – As expeditiously as practicable and without unreasonable delay. A delay for the purpose of determining the scope of the breach, identifying affected parties, and restoring integrity to the breached data system is reasonable. If number of affected individuals exceeds 10,000, must notify the Secret Service or the FBI.
- Leahy – Without unreasonable delay, not to exceed 60 days following the discovery of the security breach, unless an extension of time is granted. If number of affected individuals exceeds 5,000, or if affected database contains information of more than 500,000 individuals, must provide notice to a government entity designated by the Secretary of Homeland Security either 72 hours before notice is given to individuals or no later than 10 days after discovery of breach or discovery that breach will require notice to the Secret Service and the FBI.
- Carper – Enforcement agencies and authorities will prescribe regulations to implement the Act, including standards for timing of notice and appropriate authorities to receive notice.
- Rockefeller – Not later than 30 days after the date of discovery of a breach or as promptly as possible if able to show that providing notice within that period is not feasible due to certain circumstances. For any breach affecting less than 10,000, must notify the FTC. If number of affected individuals exceeds 10,000, or breach involves database containing information of more than 1 million, must notify a government entity designated by the Secretary of Homeland Security not less than 3 days before notice is given to individuals and no later than 10 days after discovery of breach and not less than 3 days before notification to an individual.
- Blumenthal – Without unreasonable delay. If number of affected individuals exceeds 5,000, or if affected database contains information of more than 500,000 individuals, must provide notice to a government entity designated by the Secretary of Homeland Security within 10 days of discovery, and notice to individuals must be provided no later than 48 hours after Secret Service or the FBI is notified by the designated government entity.
Enforcement and Penalties
- Toomey – The FTC may enforce a civil violation as an unfair or deceptive act or practice in violation of a trade regulation under the FTC Act. Maximum civil penalty may not exceed $500,000 for all violations resulting from a single breach. No private right of action.
- Leahy – The Attorney General, FTC, and state attorneys general may impose civil penalties for violations. Penalties imposed by the Attorney General and state attorneys general may not exceed more than $11,000 per day per breach, and there is a maximum cap on liability of $1 million per incident. No private right of action.
- Carper – The FTC has primary enforcement authority, unless another federal agency, such as the SEC, governs the relevant activities of certain covered entities. No private right of action.
- Rockefeller – The FTC and state attorneys general may enforce violations. Penalties imposed by state officials may not exceed $11,000 per individual, and there is a cap on liability of $5 million per incident. The Attorney General may impose penalties of up to $1,000 per individual and $100,000 per day, with a maximum cap of $1 million, for failure to notify designated government entity in breaches affecting more than 10,000 individuals. No private right of action.
- Blumenthal – The Attorney General and state attorneys general may enforce violations, and the FTC may create rules to identify data-security safeguards. Additionally, individuals may bring private lawsuits to “recover for personal injuries sustained as a result of the violation.” All parties may seek penalties or damages not exceeding $500 per violation per day, with a maximum cap of $20 million per violation.
Federal and State Preemption
- Toomey – Preemption of state laws pertaining to data protection and breach notice.
- Leahy – Preemption of federal and state laws pertaining to data protection and breach notice.
- Carper – Preemption of state laws pertaining to data protection and breach notice.
- Rockefeller – Preemption of state laws pertaining to data protection and breach notice.
- Blumenthal – Preemption of federal and state laws pertaining to data protection and breach notice.
Covered Entities and Safe Harbors
- Nearly all bills apply to any commercial entity or non-profit organization that accesses, transmits, or stores personal information.
- Nearly all bills contain exemptions for entities subject to the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).