For the fifth consecutive session of Congress, Sen. Dianne Feinstein (D-CA) has introduced legislation that would establish a federal data breach notification standard.  Sen. Feinstein’s legislation — the Data Breach Notification Act of 2011 (S. 1408) — is one of a number of breach notice proposals circulating on Capitol Hill that would preempt state breach notice laws and replace them with a federal standard.  In the Senate alone, Sens. Jay Rockefeller (D-WV) and Mark Pryor (D-AR) have introduced the Data Security and Breach Notification Act of 2011 (S. 1207), and Sen. Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2011 (S. 1151). 

We have heard from several sources that Sen. Rockefeller, Chairman of the Senate Committee on Commerce, Science & Transportation, is planning to markup S. 1207 in the near future.  And last week, the House Subcommittee on Commerce, Manufacturing, and Trade marked up and voted to report the SAFE Data Act (H.R. 2577) (introduced by Rep. Mary Bono Mack (R-CA)) to the full House Energy & Commerce Committee. 

Unlike many of the breach bills that are circulating, Senator Feinstein’s bill is limited to breach notification obligations and does not include information security requirements.  Generally, S. 1408 is much more similar to the breach notice provisions of S. 1151 (Leahy) than S. 1207 (Rockfeller/Pryor) or H.R. 2577 (Bono Mack).

  • S. 1408 would cover various combinations of data elements, including (1) name, username, and password information; (2) name and unique biometric data; (3) name, address or telephone number, and a full date of birth; and (4) financial account information, as well as several other potential combinations of data.  This is a broader set of data elements than covered by H.R. 2577.
  • Notice to individuals is not required to the extent there is “no significant risk that a security breach has resulted in, or will result in, harm to the individual whose sensitive personally identifiable information was subject to the security breach.”  However, S. 1408 would require a business to undertake a formal risk assessment and submit the results of the assessment in writing to the Federal Trade Commission.  Notice to the FTC would not be required as a matter of general course under S. 1408.
  • S. 1408 would require notice to individuals “without unreasonable delay.”  Notice to the Secret Service within 14 days of the discovery of a breach also would be required if more than 10,000 individuals are affected by a breach or in certain other limited scenarios.  S. 1408 also contains a requirement to notify state media in certain circumstances.
  • S. 1408 would be enforced primarily by the Attorney General with state attorneys general also authorized to bring civil actions where the Attorney General has not yet acted.  In contrast, H.R. 2577 would designate the FTC as the primary regulator. 

Inside Privacy will continue to follow committee considerations of S. 1207 and H.R. 2577 and other legislative developments in this area.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”