For the fifth consecutive session of Congress, Sen. Dianne Feinstein (D-CA) has introduced legislation that would establish a federal data breach notification standard. Sen. Feinstein’s legislation — the Data Breach Notification Act of 2011 (S. 1408) — is one of a number of breach notice proposals circulating on Capitol Hill that would preempt state breach notice laws and replace them with a federal standard. In the Senate alone, Sens. Jay Rockefeller (D-WV) and Mark Pryor (D-AR) have introduced the Data Security and Breach Notification Act of 2011 (S. 1207), and Sen. Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2011 (S. 1151).
We have heard from several sources that Sen. Rockefeller, Chairman of the Senate Committee on Commerce, Science & Transportation, is planning to markup S. 1207 in the near future. And last week, the House Subcommittee on Commerce, Manufacturing, and Trade marked up and voted to report the SAFE Data Act (H.R. 2577) (introduced by Rep. Mary Bono Mack (R-CA)) to the full House Energy & Commerce Committee.
Unlike many of the breach bills that are circulating, Senator Feinstein’s bill is limited to breach notification obligations and does not include information security requirements. Generally, S. 1408 is much more similar to the breach notice provisions of S. 1151 (Leahy) than S. 1207 (Rockfeller/Pryor) or H.R. 2577 (Bono Mack).
- S. 1408 would cover various combinations of data elements, including (1) name, username, and password information; (2) name and unique biometric data; (3) name, address or telephone number, and a full date of birth; and (4) financial account information, as well as several other potential combinations of data. This is a broader set of data elements than covered by H.R. 2577.
- Notice to individuals is not required to the extent there is “no significant risk that a security breach has resulted in, or will result in, harm to the individual whose sensitive personally identifiable information was subject to the security breach.” However, S. 1408 would require a business to undertake a formal risk assessment and submit the results of the assessment in writing to the Federal Trade Commission. Notice to the FTC would not be required as a matter of general course under S. 1408.
- S. 1408 would require notice to individuals “without unreasonable delay.” Notice to the Secret Service within 14 days of the discovery of a breach also would be required if more than 10,000 individuals are affected by a breach or in certain other limited scenarios. S. 1408 also contains a requirement to notify state media in certain circumstances.
- S. 1408 would be enforced primarily by the Attorney General with state attorneys general also authorized to bring civil actions where the Attorney General has not yet acted. In contrast, H.R. 2577 would designate the FTC as the primary regulator.
Inside Privacy will continue to follow committee considerations of S. 1207 and H.R. 2577 and other legislative developments in this area.