So far this month, three legislative proposals containing a national data breach notification requirement have been issued. On May 4, Rep. Bobby L. Rush (D-Ill.) reintroduced the Data Accountability and Trust Act. On May 11, Rep. Cliff Stearns (R-Fla.) introduced the Data Accountability and Trust Act (DATA) of 2011. One day later, the White House released a Cybersecurity Legislative Proposal.
The three proposals are built on a framework similar to many of the state breach notification laws. All three would preempt the breach notification laws in 46 states and the District of Columbia. Some of the notable similarities and differences include:
(1) the White House’s proposal and Rush’s bill more broadly define a security breach to cover unauthorized access to or acquisition of electronic data containing personal information, whereas the definition in Stearns’ bill is limited to “unauthorized acquisition”;
(2) the Rush and Stearns bills both define “personal information” as a person’s name, address, or phone number in combination with a Social Security number, driver’s license number, or financial account or credit card number along with any required security or access code, but the White House uses “sensitive personal information,” which is more broadly defined to include: (a) an individual’s name in combination with two of the following—address, telephone number, mother’s maiden name, or date of birth; (b) non-truncated Social Security number, driver’s license number; (c) unique biometric data (e.g. fingerprint); (d) a unique account identifier (e.g. credit card number); and (e) any combination of a name, account number, or security or access code;
(3) all three contain a risk of harm notice trigger exempting a company from providing notice if it determines that there is no reasonable risk of identity theft, fraud, or unlawful conduct;
(4) all three create a presumption that no reasonable risk of harm exists if the data was encrypted;
(5) the White House’s proposal and Rush’s bill require notification to affected individuals not less than 60 days after the breach absent “extraordinary circumstances,” while Stearns’ bill requires notification “without unreasonable delay”;
(6) in addition to presumably requiring faster notification, Stearns’ bill does not permit a delay in notification if requested by law enforcement unlike the White House proposal and Rush bill;
(7) all three describe the method and content of the required notice;
(8) all three: (a) authorize the FTC to enforce violations as unfair or deceptive acts or practices; (b) permit state attorneys general to enforce violations through civil actions to recover penalties; and (c) preclude a private right of action by individuals;
(9) the White House proposal limits civil fines to no more than $1,000 per day and a maximum amount of $1,000,000 compared to no more than $11,000 per day and a maximum of $5,000,000 under the bills issued by Rush and Stearns; and
(10) the bills issued by Rush and Stearns both include additional data security requirements for information brokers, including establishing practices to make sure the information they collect is accurate and precluding the use of pretexting to obtain personal information.
Prior attempts to pass national data breach legislation—dating back to 2007—have failed. In 2009, Rush’s DATA bill was approved by the House but it was never acted on by the Senate. Momentum towards enacting a national breach notification requirement, however, may be growing following recent high-profile data breaches and the privacy concerns related to smartphones and mobile applications. In addition to the three pending proposals, Rep. Mary Bono Mack has indicated that she will introduce her own proposal.