By Caleb Skeath
As we reported last this week, the Congressional Privacy Bill (S. 547/H.R. 1053) contains provisions that would establish a national data breach notice law, along with the Commercial Privacy Rights Act of 2015 and the Do Not Track Kids Act of 2015. Following our analysis of the Commercial Privacy Rights Act, we have analyzed the bill’s data breach provisions below. These provisions would allow for up to 60-days for individual notifications following discovery of a breach, and the bill’s definition of “personally identifiable information” (PII) is significantly broader than any anologous definition within the current state data breach notification laws. Continue reading for an in-depth analysis of the data breach provisions, and stay tuned for forthcoming analysis of the Do Not Track Kids Act of 2015.
Who is covered by the bill? As with the other provisions of the bill, the data breach provisions would apply to entities within the FTC’s Section 5 jurisdiction, common carriers under the Communications Act, and 501(c) non-profit organizations. However, a covered entity that collects, uses, transfers, or stores PII regarding fewer than 5,000 individuals during a consecutive 12-month period would not be subject to the bill’s provisions.
How is “personally identifiable information” defined? The data breach provisions utilize the same definition of “personally identifiable information” as the bill’s other provisions, the Commercial Privacy Bill of Rights Act of 2015 and the Do Not Track Kids Act of 2015. In the context of a data breach statute, this definition of PII is significantly broader than any other data breach notification proposal, as disclosure of information such as an individual’s name or address, by itself, would trigger notification obligations. Each of the following types of information, by themselves, would qualify as PII:
- Full name;
- Physical address;
- Email address;
- Telephone number;
- SSN or other government ID number;
- Unique identifier information that, by itself, can be used to identify an individual;
- Credit card account number; or
- Biometric data.
In addition, the following types of information would qualify as PII when paired with one of the types of PII listed above:
- Date, certificate, or place of birth;
- Unique identifier information that cannot be used to identify an individual by itself;
- Precise geographic location;
- Information about the use of voice services; or
- Any other information that could be reasonably used to identify an individual.
As discussed further below, the bill would only cover PII maintained in electronic form.
When are notification obligations triggered? A covered entity must notify individuals following the discovery of a breach of security of a system maintained by the entity containing PII. A “breach of security” is defined as a “compromise of the security, confidentiality, or integrity of, or loss of, data in electronic form that results in, or there is a reasonable basis to believe has resulted in, unauthorized access to or acquisition of” PII. Good faith acquisition by an employee or covered entity is exempt if the PII is not subject to further use or disclosure.
How are individuals notified? The bill contains requirements for the timing, distribution, and content of notices to individuals. In the event of a breach, a covered entity would be required to notify all U.S. citizens or residents whose PII has been, or is reasonably believed to have been, acquired or accessed.
- Timing: Covered entities would be required to notify individuals “without unreasonable delay” following the discovery of the breach and provide a copy of the notification to the FTC within the same timeframe. Although the bill allows for delays to determine the scope of the breach, prevent further disclosures, or restore the integrity of the system, the delay cannot exceed 60 days unless the FTC grants an additional 30-day extension in writing. The FBI and the U.S. Secret Service would also have the power to delay notification to individuals for law enforcement or national security reasons.
- Methods: Covered entities would be allowed to provide notifications in writing, as well as via email if the entity’s primary method of communication with the affected individual was via email or if the individual consented to receiving notifications via email. The bill would also allow for substitute notification methods, including via email, posting on the entity’s website, and notification to print and broadcast media, if more than 10,000 individuals are affected or the entity does not have sufficient contact information for the affected individuals.
- Content: The bill would require individual notifications to contain the following information:
- The date, estimated date, or estimated date range of the breach of security;
- A description of the PII accessed or acquired;
- A telephone number that individuals can use to contact the covered entity;
- Notice that the individual may be entitled to consumer credit reports and instructions on how to request them;
- A telephone number and address for each major credit reporting agency; and
- A telephone number and website for obtaining information about identity theft from the FTC.
Are entities required to notify law enforcement or other government entities? The bill would require the Secretary of Homeland Security to designate a federal government entity to receive notice of security breaches and distribute these notices to other government entities. Notice to this designated federal entity would only be required if the breach involves access to PII of more than 10,000 individuals, databases containing PII for more than 1 million individuals or databases owned by the federal government, or primarily PII from individuals known to the covered entity to be law enforcement or national security employees or contractors of the federal government. The notification, which must be provided within 10 days after the date of discovery of the breach and at least 3 days before individuals are notified, would be required to contain the date, estimated date, or estimated date range of the breach, a description of the breach and the types of PII accessed, and the reason why the designated federal entity is being notified.
Are entities required to notify credit bureaus? A covered entity would be required to notify all major credit bureaus of the timing and distribution of individual notices if the covered entity is required to notify more than 5,000 individuals following a breach. However, notification to the credit bureaus would not be required if the only information compromised is an individual’s name, address, or phone number in combination with their credit or debit card number and any required security code.
Do third parties or service providers have notification obligations? The bill would define a “third party” as an entity that is not under common ownership with a covered entity or is related to a covered entity in a manner that an ordinary consumer would not understand. If a third party that has been contracted by a covered entity to maintain or process PII experiences a breach, it must notify the covered entity but does not have any other notification obligations.
The bill would also define a “service provider” as an entity that provides “electronic data transmission, routing, intermediate and transient storage, or connections to its system or network” but does not select or modify the content of the electronic data, is not the sender or recipient of the data, and does not differentiate PII from other information. If a service provider becomes aware of a breach affecting PII owned or possessed by a covered entity that connects to or uses the service provider’s network, the bill would require the service provider to notify the covered entity that initiated the transmission or storage of the compromised PII if the entity can be “reasonably identified.”
Are there any other obligations? The bill would require an entity to provide a free consumer credit report, upon request, to any individual affected by the breach on a quarterly basis for 2 years. The bill would also require the FTC to engage in rulemaking to provide a process for small businesses and small nonprofit organizations to seek a full or partial waiver from this requirement due to excessive costs. Entities would be exempt from this requirement if the breach only discloses individuals’ names, addresses, or phone numbers in combination with credit or debit card numbers and any required security codes.
How will these provisions be enforced? The bill would not provide a private right of action. However, a violation of any of the bill’s provisions, except for providing notice to the designated federal entity, would be treated as an unfair or deceptive trade practice, enforceable by the Federal Trade Commission. State attorneys general would be allowed to bring a civil action enforce the bill’s provisions if the interests of state residents are adversely affected, but any civil action brought by the FTC would preempt the enforcement powers of the state attorneys general. The bill would provide for civil damages of up to $33,000 per day of non-compliance or per individual that the entity failed to obtain consent from, up to a maximum of $6 million for any “related series of violations.”
The Attorney General would have the exclusive authority to enforce the provisions of the bill regarding notice to the designated federal entity via a civil action. Violations would be subject to civil penalties of up to $1,000 per individual whose PII was accessed, up to a maximum of $100,000 per day while the violation persists. Total liability from a single breach would be capped at $3 million, but an additional civil penalty of $3 million would be available for reckless or repeated violations. The Attorney General would also have the power to seek an injunction against any violations of the data breach provisions.
Are there any safe harbors? The bill would provide safe harbors for financial institutions that comply with GLBA, as well as covered entities or business associates that comply with the HITECH Act. The bill would also provide a limited safe harbor for entities that participate in financial fraud prevention programs that meet specific requirements. However, this safe harbor would not apply to breaches that expose PII other than an individual’s credit card number or security code.
Will these provisions preempt state law? The bill would preempt state laws relating to the disclosure of PII. However, the bill would specifically preserve state laws regarding the collection, use, or disclosure of health or financial information, as well as state laws relating to acts of fraud.