Embarrassing losses of personal data, whether due to intrusions into computer networks or sheer carelessness, seemingly are weekly news fodder. The recent PlayStation data security breach is only the most recent high-profile incident to afflict a major business, as Sony joined a long list of companies from ChoicePoint to TJ Maxx.
We learn about these data breaches because laws in 46 states require notification of breaches of the security of personal data kept in electronic form.
Currently, there is no general federal breach notification law, although certain laws (such as the Health Insurance Portability and Accountability Act) contain notification obligations for specific sectors of the economy. Now, prospects for a federal breach notification law suddenly appear brighter than in a number of years, due to recent actions by a leading member of the House of Representatives and a major boost from the Obama Administration.
State notification laws
The first state breach notification law was enacted by California in 2002, and 45 other states have since followed suit. These laws generally sought to deter identity theft by requiring that people whose names and financial account information in electronic files are accessed by unauthorized persons be notified of the danger so that they can take steps to protect themselves.
However, over time, the laws began to differ in details. As a result, the 46 different state laws now vary in many respects, including having:
- Different triggering requirements for notification
- Different definitions of what data are to be protected
- Different requirements as to whom, and how, notice must be given
- Different timetables for providing notice
- Different remedies.
These differences have led representatives of the business community to call for a uniform national law to govern notification of breaches of electronic data security. A single national standard would simplify compliance obligations, especially if it also preempted the various state laws, a matter particularly important for companies that operate on a multistate basis. Past Congresses have considered proposed federal data security breach notification laws, but none were enacted.
The Stearns bill
In May, Rep. Cliff Stearns (R-FL) introduced H.R. 1841, which would:
- Require businesses to establish reasonable data security policies and procedures for any data stored in electronic format
- Impose some additional obligations on data brokers
- Establish a federal standard for notification to affected individuals of breaches of data security.
The bill would authorize the FTC to adopt regulations regarding information security practices, including security policies, designating responsible corporate officers, vulnerability assessments and disposal. It also would preempt the 46 state breach notification laws and prohibit private rights of action. Enforcement would reside in the Federal Trade Commission and the state attorneys general.
The Stearns bill joins other proposed legislative initiatives covering the same ground, including one introduced earlier in May by Rep. Bobby Rush (D-IL). The Stearns and Rush bills are similar in many respects, suggesting that the House may be able to agree on a common approach. Earlier this month, the chair of the House subcommittee with jurisdiction over these bills, Rep. Mary Bono Mack (R-CA), introduced her own bill.
The White House proposal
Concurrently, the White House has released its cybersecurity legislative agenda. To the surprise of some, that agenda included a federal breach notification proposal applicable to businesses that collect, use, transmit or dispose of sensitive personally identifiable information on more than 10,000 individuals within a 12-month period.
The White House’s proposal differs from the Stearns bill in several respects. For example, it would protect many more categories of data, not limiting the scope to name and financial account information. Unlike the Stearns bill, the White House would also protect electronic data containing a person’s name, home address and mother’s maiden name, as well as biometric data. The White House also would allow businesses more time before providing notification upon learning of a breach.
In addition, it would provide that notification would not be required if the business determines that there is “no reasonable risk” of “harm” to the affected individuals, in contrast to the Stearns bill, which provides that notification would not be required if there is no reasonable risk of merely “identity theft, fraud, or other unlawful conduct.” It is unclear what “harms” might exist that are not subsumed by the three items listed in the Stearns bill; however, some have urged that the concept of “harm” should extend to disclosures of private information that are not necessarily criminal in nature.
Even with the general support of the White House, much water must pass under the bridge before a federal breach notification law is enacted. Similar bills have failed in past Congresses for a variety of reasons. These include disagreements between the House and Senate as to the proper approach, opposition to preemption from privacy advocates and states that might believe that the federal law provides insufficient protection, and disagreement as to the appropriate “risk” threshold for when businesses should be required to provide notice to affected persons. Still, prospects for federal legislation may be brighter now than at any time in recent years.