Congressional Data Breach Bills Compared
Rep. Bobby Rush (D-IL), Rep. Mary Bono Mack (R-CA), Sen. Mark Pryor (D-AR), Sen. Jay Rockefeller (D-WV), Sen. Patrick Leahy (D-VT)
This summer, the number of data breaches at high-profile companies rivals only the surge in temperature. But despite the newfound attention, data breaches aren’t new; according to the Privacy Rights Clearinghouse, since 2005 there have been nearly 2600 data breaches affecting over 500 million records.
Meanwhile, the legal picture surrounding breaches is complex. Current federal law requires notification of consumers in the event of a breach only in limited circumstances, while nearly every state has its own version of a data breach law. Congress is now looking to simplify data breach laws with a national standard, but the question is whether such a standard would be a step forward for consumers. It’s an issue, that CDT has been following since at least 2005.
At present, there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches.
CDT believes a comprehensive federal data breach law would be useful to standardize existing laws, but above all, the law should do more to encourage data collection and retention practices that reduce the risk of breaches in the first place. Certainly, a new federal law should not weaken existing notification and security requirements already in place today under state law and the FTC Act. Current congressional bills differ slightly on their approach to protecting consumer data from security breach. Below is a comparison of a few key provisions:
Information Security Requirements: The bills proposed by Representative Bono Mack, Representative Rush, and Senators Pryor and Rockefeller would empower the FTC to promulgate regulations for business’ handling of personal data. These would include appointing information security managers, identifying and correcting potential data security vulnerabilities, and taking steps to safely dispose of electronic personal data. The Rush, Pryor/Rockefeller, and Leahy bills also would make so-called information brokers, businesses that compile databases of thousands of consumers’ data and sell this information to third-parties, subject to special requirements – which CDT supports – that ensure the data they compile is accurate and that consumers have access to this data and the ability to dispute inaccuracies. Representative Bono Mack’s bill adds a requirement for data minimization, so that a business retains only data needed for a legitimate business purpose and otherwise disposes of personal information as soon as possible. CDT supports these information security provisions, particularly in combination with a data minimization provision.
CDT would like to see the bills incorporate a broader range of sensitive data into the security requirements. The bills’ definition of “personal information” applies to both breach notification and security, but CDT believes companies should be under some explicit obligation to protect personal data that is not sensitive enough to require notification in the event of a breach. This would be consistent with the Federal Trade Commission’s (FTC) implementation of the security requirements of Gramm-Leach-Bliley – the FTC requires safeguards for essentially “any record containing nonpublic personal information” about a customer. The FTC, under its Section 5 authority to curb unfair business practices, also requires reasonable security to prevent unauthorized access to nonpublic, non-financial data – as demonstrated by the FTC’s 2010 complaint against Twitter.
Notification Trigger: Of course, even the best security practices will not prevent all data breaches. In the event of a breach, the bills generally require notification of all individuals affected. However, the bills also exempt businesses from notification if they perform a risk assessment that determines there is no “reasonable” or “significant” risk of harm, such as identity fraud. In addition, use of FTC-approved encryption technologies create a rebuttable presumption that there is no reasonable risk of harm, unless the encryption key has also been breached. CDT supports a “notify unless” standard of reasonable risk, meaning that a business must notify consumers unless an affirmative determination of no risk can be made. This is in contrast to a “notify if” standard, requiring an affirmative finding of risk for notification, which would create an incentive for companies not to fully investigate data breaches. Many of the bills now take this approach, but it remains possible that the presumption could be reversed by seemingly minor language changes as the legislative process moves forward.
Senator Leahy’s bill and the White House proposal include an additional valuable requirement that if a business makes an affirmative determination of no risk, it is still required to promptly inform the government of this result. CDT supports this provision because companies are more likely to make good faith, honest risk appraisals when those appraisals will be filed with the government.
Information Covered: Each bills differs slightly in its definition of “personal information.” In general, covered personal information includes an individual’s first name or initial and last name, in combination with other forms of identifying information, such as address, social security number, driver’s license, or financial account information. The Leahy bill would also cover unique biometric data, an important category of personally identifiable information. CDT supports including health data under a breach notification, with authority for the FTC to modify the covered categories through rulemaking.
Consumer Assistance: In addition to the standard notification to individuals whose information has been breached, the Bono Mack, Rush, and Pryor/Rockefeller bills would require businesses to offer two years of credit monitoring services at no cost to the individual.
Preemption of State Law: All of the current bills would supersede state data breach notification laws, although the Rush and Rockefeller/Pryor bills would make exceptions for state victim assistance requirements. Preempting state laws may be necessary to simplify businesses’ obligations, but CDT cautions that the federal regime should therefore not be weaker than current state laws. In addition, the legislation should not preempt all state data security laws, only those that cover the same information covered in the legislation, so that states are able to add data security requirements to other categories of data that are not covered by the legislation.
Ideally, legislation addressing data security and data breaches would be incorporated into broader, baseline consumer privacy legislation. If Congress elects to pursue data breach notification independently, however, it should take care not to weaken the notification regime currently in place at the state level. CDT hopes that Congress continues to refine these bills and ultimately enacts meaningful protections that offer concrete improvements in data security.