Posted on December 9, 2009 by Bret Cohen

House Passes Comprehensive Data Security Legislation

On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud.

These measures include:

  • Requiring covered organizations to establish and implement comprehensive policies and procedures regarding information security practices for the treatment and protection of personal information, tailored to the individual organization's capabilities.  This would include:
    • the creation of a security policy;
    • the identification of a security officer or other individual as the point of contact for the organization's security program;
    • the creation of a process for assessing vulnerabilities to electronic systems containing personal information, including regular monitoring for security breaches;
    • the creation of a process for taking preventative and corrective action to mitigate against any vulnerabilities found; and
    • the creation of a process for the secure disposal of obsolete data.
  • Subjecting data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and punishing data brokers for the unauthorized disclosure of personal information through "pretexting" -- that is, obtaining or hiring someone who obtains personal information of others through false pretenses.
  • Creating a federal data breach notification requirement that would mandate any organization suffering a breach of personal information to notify all affected individuals, unless it determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct (which can be presumed if the data is properly encrypted or otherwise rendered in an electronic form unreadable or undecipherable).  Organizations suffering breaches would also be required to provide consumer credit reports to affected individuals on a quarterly basis for two years.

The FTC would be directed to pass regulations and guidance implementing and interpreting many of the specifics, and would be granted civil enforcement authority through its power under the FTC Act to prevent unfair and deceptive trade practices.  In addition, the bill would empower state attorneys general to bring civil actions to enforce its provisions with regard to violations against residents of their respective states.

Penalties would be substantial.  The failure of any covered organization to implement a comprehensive data security program or of data brokers to implement requirements specific to them would carry a maximum penalty of $11,000 per violation -- which in the case of the data security program would be $11,000 per day -- up to a maximum of $5,000,000.  Failing to comply with the breach notification provision would carry a penalty of up to $11,000 per failed notification, up to a maximum of $5,000,000, which could theoretically be reached by an unreported breach of the personal information of only 455 individuals .

Importantly, the bill would preempt the breach notification laws of forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands, as well as the recent controversial Massachusetts regulations requiring the creation of a comprehensive data security program and policy of all organizations maintaining the electronic personal information of residents of that state.  It would not, however, replace any of the parallel federal breach notification standards, such as the breach notification rule recently issued by the department of Health and Human Services under the HITECH Act and other disclosure requirements under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

Just last month, the Senate Judiciary Committee approved two bills very similar to H.R. 2221.  While there are some notable differences -- including criminal penalties, an applicability threshold for the data security program requirement, and express exemptions for entities in compliance with similar federal regulations in the Senate versions, and prohibition of pretexting and higher penalties in the House version -- all three bills have enjoyed bipartisan support and their purposes are aligned.  Though health care and other items remain higher on the Senate's agenda, and the full chamber is unlikely to vote on the bills for some time, proponents are now likely to point to the momentum generated by the passage of the House version to bring the issue before the Senate sooner rather than later.

Tags: , , , , , ,
Posted on November 12, 2009 by Bret Cohen

Senate Committee Approves Data Security Bills Creating Federal Data Security Program, Breach Notification Requirements: Criminal and Civil Penalties Give Proposed Law Real Teeth

On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today.

S. 1490, introduced by Sen. Patrick Leahy (D-Vt.), would preempt most state data security laws. The bill would mandate the implementation of a comprehensive data security program by all businesses maintaining personally identifiable information (PII) of 10,000 or more individuals not currently required to do so by certain federal laws (such as GLBA for those maintaining financial information and HIPAA for those maintaining health information). Covered businesses would be required to conduct an internal data security risk assessment, adopt controls to reasonably manage these risks and to detect security breaches, and conduct regular vulnerability testing and reassessment to ensure their program is appropriately managing risks.

The bill would also create a federal data breach notification requirement, preempting the variety of state laws that today cause compliance headaches among those that experience such a breach. The bill's provisions mirror most of the common themes of the state laws, including that breaches must be reported "without unreasonable delay" except as necessary for law enforcement or national security purposes, and that in addition to the affected individuals notification must be made to prominent media in all states in which the information of 5,000 or more individuals is reasonably believed to have been breached. Like some of  the state laws, the bill contains a "risk of harm" threshold, exempting notification in situations in which it is determined that there exists no significant risk that the breach will result in harm (with the approval of the Secret Service of this determination). The use of effective encryption, redaction, or other industry-standard controls would create a statutory presumption that no harm is likely to occur from a breach.

Among other provisions, the bill would:

  • create a federal crime for intentionally and willfully "concealing" a breach of PII that one has an obligation to report;
  • ask the U.S. Sentencing Commission to reevaluate criminal penalties associated with the theft or unauthorized access of PII
  • subject data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and notifying individuals when a third party takes adverse action against them based on the PII furnished; and
  • require federal contractors to meet certain data security requirements.

Notably, the House Energy and Commerce committee passed a bill containing a number of similar provisions, H.R. 2221, including those pertaining to the security program, breach notification, and data brokers. The second Senate bill, S. 139 introduced by Sen. Dianne Feinstein (D-Calif.), would create a federal data breach notification requirement largely mirroring that of S. 1490 that would also preempt state data breach requirements. S. 1490 passed 14-5; S. 139 passed 14-2.

The civil penalties associated with a failure to comply with these bills would be substantial. Failure to institute a comprehensive security program would result in a fine of up to $5,000 per violation per day (double for willful violations) with a cap of $500,000 per violation, and failure to timely notify required parties of a reportable breach could lead to a penalty of up to $1,000 per day per individual whose PII was breached (doubled for willful violations), with a cap of $1,000,000 per violation. Violations of the data broker provisions could elicit penalties of $1,000 per violation per day, with a cap of $250,000 that would double with willful violations. In addition to the federal government (in some cases, the FTC was explicitly named), state Attorneys General would be granted the authority to enforce these laws on behalf of their affected residents.

Chances of this bill coming to vote before the full Senate in the near term are slim, especially with health care and appropriations at the forefront of the legislative agenda and relatively few days left in the current session. Nevertheless, this is not the first data security legislation introduced in Congress, and given the thought and detail put into crafting these bills, the committee endorsement, the number of co-sponsors, and increasing prevalence of identity theft and other relevant issues, such a law has a better-than-ever chance of coming into force at some point.
Tags: , , , , ,
Posted on November 3, 2009 by Christopher Wolf

Live Blogging from Madrid Privacy Confabs: EU-Wide Data Breach Notification Requirement a Real Possibility

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event,  is that the European Commission is seriously considering  new  data security breach notification laws. Previously, the Commission and  the European Council had focused only on breaches at telecom companies and ISPs.

 

The Commission’s Information Society Commissioner, Viviane Reding,  now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

 

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

 

Tags: , , , ,
Posted on October 19, 2009 by Christopher Wolf

New Class of Data Security Breach Plaintiffs Possible If Maine Supreme Court Rules That Economic Harm Not Required

“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers.  In a ruling  dated October 5, 2009, Judge D. Brock Hornby, who earlier this year had dismissed almost all of the claims in the consolidated class action for lack of "economic loss", reversed himself and sent to the Maine Supreme Court an issue that has the potential for opening the floodgates of litigation.   Plaintiffs  so far have been unsuccessful in pursing civil actions following data security breaches where they have not suffered real economic damages.

As Judge Hornby himself observed in his decision,

 “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.”  

Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.  Thus, added to the existing costs of a data security breach (notification costs, credit monitoring costs, regulatory investigation costs, damage to reputation costs, etc.), there may soon be "time and effort" compensation costs.  As menioned in an earlier post concerning Maine's law tp protect kids from predatory marketing, which effectively is on hold, when the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

It appears that while the State of Maine no longer has much impact on presidential elections, it could well have an impact on data security breach law.

Tags: , , , , ,