The proposed bill would require companies to notify consumers within 30 days of discovering a security breach [Sec. 101(c)], and in some cases, also notify a federal entity designated by the Secretary of Homeland Security [Sec. 106(a)]. The bill defines a “security breach” as unauthorized acquisition of or access to sensitive personally identifiable information, and it defines “sensitive personally identifiable information” as an individual’s name and two additional data elements together or any one of several unique data elements on their own, such as biometric data or a government issued ID number [Definitions]. It requires direct notification of affected individuals and media notice if the number of affected individuals in any one state exceeds 5,000 [Sec. 103]. It further specifies the information that should be communicated in the notifications to all affected individuals [Sec. 104]. The bill gives rulemaking authority to the FTC and enforcement authority to the FTC and state attorneys general [Sec. 106(b), 107, 108] and contains a preemption provision to ensure the bill will “supersede any provision of the law of any State, or political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data” [Sec. 109].
Though the proposed bill has earned support from industry and consumer protection groups alike for its effort to simplify the existing system of notification rules, some privacy advocates remain concerned about the bill’s preemption provision. They contend that uniformity should not be achieved at the expense of strong consumer privacy protections, fearing that preemption would effectively weakenconsumer protections in places that currently have stricter breach notification requirements than the proposed federal standard. Some
At the same time, the bill’s elimination of a private right of action may restrict a steadily growing avenue for individual redress and private enforcement through litigation and class actions.
Defining “Security Breach” and “Personal Information”
The proposed bill defines a security breach as a compromise or loss of computerized data resulting in “the unauthorized acquisition of sensitive personally identifiable information [SPII]” or “access to [SPII] that is for an unauthorized purpose, or in excess of authorization.” This definition is narrower in scope than a few state laws with regard to the format of the data, but covers a greater range of security events than the existing system. Specifically, the language of the proposed bill covers only computerized data, not information in other formats as at least three states cover, but it applies to unauthorized access to and acquisition of data, while most laws define a breach as only the latter.
In defining the types of compromised data that trigger notification requirements, the proposed bill covers a greater range than its current counterparts. Existing laws generally define personal information as an individual’s name plus an additional sensitive data element like a social security number, credit card number or password. The proposed bill goes further to define SPII in two ways: the first as electronic or digital information that includes an individual’s name and two of the following: home address or telephone number, mother’s maiden name or full date of birth; the second as one of several data elements that constitute SPII on their own:
- a government-issued ID number (such as a SSN, Driver’s License number or passport number)
- any unique biometric data
- a unique account identifier (such as a credit card number, bank account number, routing code or user name)
- a username or email address in addition to a password or answer to a security question that would permit access to an online account.
Under the President’s bill, none of these data elements have to be connected to a consumer’s name in order to trigger breach notification requirements. This constitutes a significant expansion of coverage under existing laws. Though a few do not require names to be connected to special categories of sensitive data like SSN (Indiana) or credit card numbers (Kansas) in order to qualify as personal information, the vast majority of existing laws limit personal information to data connected with a first and last name and none identifies as many categories of SPII as the President’s proposed bill. Moreover, the bill notes that under the rule promulgated under section 553 of title 5 of the U.S. Code, the FTC may amend the definition of SPII “to the extent that such amendment will not unreasonably impede interstate commerce, and will accomplish the [bill’s intended] purposes.” With the FTC empowered to modify the elements that constitute SPII, the bill has a strong chance of remaining up-to-date with data trends over time.
Despite the wider range of data sets it covers, however, the proposed bill expressly omits health and medical information. At least nine states and Puerto Rico include this type of data in their definitions of personal information covered by their breach notification statutes. Though it is possible the administration was attempting to preserve the autonomy of federal statutes already governing health data, the omission of health and medical data from the definition of SPII complicates the interplay with certain existing laws, as discussed in the following section.
Defining “Covered Entities”
The proposed bill applies to business entities (for profit and non-profit) that “use, access, transmit, store, dispose of or collect SPII about more than 10,000 individuals during any 12-month period.” It is highly limiting language, arguably setting a lower standard than that under any of the existing laws, which do not distinguish a covered entity by its number of customer records. By setting a floor of 10,000 individuals, the bill effectively exempts from breach notification requirements smaller entities collecting consumer information that might otherwise have been covered under the existing system, such as small businesses and individuals who collect fewer than 10,000 records annually.
The bill addresses the question of allocation of notification responsibility between a breached entity and an owner/licensee of the breached information, in case they are different – an issue inconsistently resolved among existing laws. In the event of a breach, the proposed bill obligates the breached entity to notify affected individuals regardless of whether it owns or licenses the data. If the breached entity does not own or license the data, it is required to notify the data owner or licensee, although such notification does not release it from its obligation to notify affected individuals. The proposed bill clarifies, however, that if the owner or licensee of the data provides the notification itself, then the breached entity is released from its obligation to notify. In addition, notification obligations can be contractually transferred to another party, and the proposed bill does not prevent or nullify such an agreement.
The proposed bill carves out an exemption for entities and vendors covered by the HITECH Act, which contains its own breach notification mandate. Some current laws also contain an exemption for HIPAA (and an exemption for entities covered by the GLBA). Still, the majority do not provide such an exemption and in some cases impose stricter requirements for HITECH covered entities than HITECH itself. Because HITECH exempts from its preemption provision laws with more stringent requirements, these stricter standards remain effective. In contrast, the proposed bill contains no such exemption for stricter state provisions. Commentators have suggested, therefore, that in the case of health data handled by entities covered by HITECH, the lack of an exemption from the bill’s preemption provision means that while a state’s existing breach notification law with regard to covered health entities is not overridden by HITECH (which exempts stricter state laws from preemption), it would be overridden by the President’s proposed bill. In other words, critics argue that the bill’s broad preemption provision may dilute consumer protection in states whose breach notification laws cover health data and contain stricter protections than those under HITECH.
Upon closer reading of the statutory language, however, it becomes clear that this criticism is unfounded. Section 111 of the bill specifically states that, “Nothing in this Act shall apply to business entities to the extent that they act as covered entities…subject to the [HITECH] Act.” This means that for HITECH covered entities, the bill’s preemption provision [Sec. 109] does not apply. Consequently, stricter state laws, which survive HITECH, remain in effect with regard to such entities. Moreover, even states or territories that do not currently impose stricter standards on such covered entities could craft new legislation without conflicting with the President’s proposed uniform standard.
It is worth noting that while the interplay between the President’s bill, HITECH and existing laws does not create a statutory loophole, the combination of the HITECH exclusion with the omission of health data from the definition of SPII does. Over the past few years, an entire industry, which is not covered by HITECH, has emerged around the collection and handling of consumers’ health and fitness data through a plethora of websites, apps and wearable devices. The wearable technology industry already provides numerous devices for collecting, recording and assessing personal health information from millions of individuals. While a breach of this data could certainly be harmful to consumers, companies would arguably fall outside the remit of both the President’s bill (due to the definition of SPII) and the HITECH Act – a gap that does not appear in the existing state system. Here, the proposed bill’s preemption would apply, meaning that stricter state laws would be set aside. Remedying this gap would require either the addition of health and medical data to the definition of SPII or an adjustment to the preemption provision of the proposed bill such that state laws relating to data sets outside the scope of the proposed legislation remain unaffected.
Defining “Timeliness of Notification”
As in existing laws, the proposed bill addresses two types of notifications: one to law enforcement and the other to affected individuals. The proposed bill requires covered businesses to notify a federal entity designated by the Secretary of Homeland Security so that it can alert relevant law enforcement agencies in the event of a security breach. This notification must take place “as promptly as possible,” which the bill defines as within 72 hours before notifying individuals or within 10 days of the discovery of the incident, whichever comes first. By mandating a timeframe for notification to law enforcement, the proposed bill strengthens the existing system; Puerto Rico has the same 10-day requirement, but no other state or territory sets a timeframe for notifying law enforcement. Three states impose a stricter timeframe for notifying the state Attorney General’s office in situations where a state agency is breached and/or medical information is lost, but these situations are irrelevant given the scope of the proposed bill.
The bill states that notifications to individuals “shall be made without unreasonable delay following the discovery by the business entity of a security breach”; it defines unreasonable delay as exceeding 30 days unless necessary for law enforcement or where the business entity can demonstrate to the FTC that additional time is needed. On the one hand, the 30-day maximum is more specific than under existing laws. Maine (seven business days after law enforcement has authorized notification), Florida (30 days) and Wisconsin, Ohio and Vermont (45 days) are the five states that cap the reasonable timeframe. Most state laws employ the language “within the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the … the data system.”
On the other hand, by specifying a 30-day maximum rule as opposed to relying on a standard, the proposed bill may unintentionally offer businesses a cushion to delay notifications in the event that in fact they are able to notify consumers sooner but choose to wait for the expiration of the 30-day window. This lowers the bar compared to state laws that demand reasonable expediency. At the same time, however, it is arguable that by capping the amount of “reasonable” time, the bill limits the flexibility companies have to respond to the breach. impactful class actions. They serve an important function not only of ex post remediation but also as an ex ante device to incentivize companies to improve their security practices.
That said, it is worth noting that were an individual to suffer actual damages as a result of a breach in which notification was delayed, those damages would conceivably constitute the “harm” necessary to provide standing in a case claiming the company was negligent or failed to reasonably secure confidential and personal consumer information. This would ostensibly constitute an actionable cause even if not under the breach notification statute.
Conclusion
The proposed bill generally meets, and in some cases exceeds, the standards set by existing breach notification laws. There are three notable exceptions: the absence of a private cause of action for individuals harmed by a failure to notify; the proposed bill’s definition of a covered entity, which effectively exempts smaller businesses and individuals that might have been subject to notification requirements under the majority of current laws, and the omission of different data formats and data sets from the definition of SPII. As this analysis suggests, other differences between the existing system and the proposed national standard appear to diminish neither the efficacy nor the strength of the proposed standard relative to the existing laws. While it is true that the language of the bill may change as it passes through Congress, analysis of the bill in its current form demonstrates that the proposed national standard comprehensively extends the fundamental requirements of existing laws on a national scale.