ResourceCenter

Any business entity engaged in or affecting interstate commerce that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.

Excludes entities covered by the HITECH Act.

Compromise of computerized data that results in or may be reasonably concluded to have resulted in an unauthorized acquisition of sensitive personally identifiable information or access to sensitive personally identifiable information that is for an unauthorized purpose or in excess of authorization.

Sensitive Personally Identifiable Information (SPII): any information in electronic or digital form that includes:

1. an individual’s first and last name or first initial and last name in combination with any two of the following data elements:
   • home address or telephone number;
   • Mother’s maiden name;
   • month, day, and year of birth;
2. a non-truncated social security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number;
3. unique biometric data;
4. a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code;
5. a user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account; or
6. any combination of the following data elements:
   • an individual’s first and last name or first initial and last name;
   • a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; or
   • any security code, access code, or password, or source code that could be used to generate such codes or passwords.

Notification shall be made without unreasonable delay, not exceeding 30 days, unless necessary for law enforcement or with an extension granted by the FTC of up to 30 days.

If a business entity requires additional time, it shall provide the FTC with records or other evidence of the reasons necessitating delay.

A business entity is exempted from notice requirements if a risk assessment concludes that there is no reasonable risk of harm to the affected individuals.

Encryption: If the data at issue was rendered unusable, unreadable or indecipherable through an industry standard security technology or methodology, then no harm is presumed unless facts demonstrate that technology was also compromised.

Risk assessment must be submitted to FTC within 30 days.

1. INDIVIDUAL NOTICE — Notice to individuals by one of the following means:
   • written notification to the last known home mailing address of the individual in the records of the business entity;
   • telephone notice to the individual personally;
   • e-mail notice, if the individual has consented to receive such notice.
2. MEDIA NOTICE — If the number of affected residents of a State exceeds 5,000, notice to media reasonably calculated to reach them.

Regardless of the method of notification, notice shall include, to the extent possible:

1. a description of the categories of SPII that was breached;
2. a toll-free number to contact the business entity or its representative and to learn what types of SPII the entity maintained about that individual;
3. the toll-free contact telephone numbers and addresses for the major credit reporting
agencies and the FTC;
4. identification of the business entity that has a direct business relationship with the individual;
5. any information regarding victim protection assistance as provided for by that State (this is the exemption to the bill's preemption clause).

If notification is required to more than 5,000 individuals, the business entity shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis within 30 days (and prior to the notices of affected individuals if doing so will not delay notice to invidividuals), unless granted an extension by law enforcement or the FTC.

Notice to CRAs shall include the timing and distribution of the breach notifications to affected individuals.

The breached entity is required to notify affected individuals even if it does not own or license the data. Any covered entity that does not own or license the data affected by a breach shall notify the data owner or licensee that a breach has occured following the discovery of the breach unless there is no reasonable risk of harm or fraud. An entity obliged to give notice shall be relieved of such obligation if the owner/licensee or other designated third party provides the required notification. Contractual agreements redistributing the notification obligation are permitted.

Notify an entity designated by DHS to receive reports and information about security incidents, threats and vulnerabilities "as promptly as possible"—within 72 hours before notifying individuals or 10 days after the discovery of the incident, whichever is sooner.

FTC: rulemaking authority and enforcement authority under Section 5.

State Attorneys General: civil actions with penalties of not more than $1000 per day per affected individual up to $1m per violation unless found to be willful or intentional; must notify U.S. Attorney General and FTC.