The House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Mary Bono Mack (CA), approved the Secure and Fortify Electronic Data Act (H.R. 2577) (SAFE Data Act) following lengthy debate on July 20, 2011. The SAFE Data Act contains information security requirements and breach notice obligations consistent with Rep. Bono Mack’s statements following the subcommittee’s hearing regarding the breaches at Sony and Epsilon. The bill now moves to the full committee for consideration.
The information security requirements would come from regulations to be issued by the FTC within one year. The regulations must require companies that own or possess data containing personal information to implement policies and procedures to protect personal information, including: (1) a security policy for collection, use, and dissemination of personal information; (2) identifying a person to be responsible for managing information security; (3) a process for identifying foreseeably vulnerabilities, including regularly monitoring to detect system breaches; (4) a process for taking preventative action to mitigate any identified vulnerabilities; and (5) a process for disposing of data on paper and in electronic form.
The breach notification provisions of the Act require companies to notify law enforcement without unreasonable delay and notify the FTC and all affected individuals whose personal information “may have been accessed or acquired” within 48 hours of identifying the affected individuals. The notification to affected individuals must begin no later than 45 days after discovery of the breach unless the company receives a written request to delay notification by law enforcement.
Notice to affected individuals is required when there is unauthorized access to or acquisition of personal information in electronic format. Personal information is limited to a person’s name in combination with a: (1) Social Security number; (2) driver’s license number, passport number, military ID; or (3) financial account number or credit or debit card number along with any required code necessary to permit access to the account. There is also risk of harm trigger—notice is not required if the company makes a reasonable determination that the breach presents “no reasonable risk of identity theft, fraud, or other unlawful conduct” to the affected individuals. A presumption exists that there is no reasonable risk of harm if the data was encrypted. Companies are also required to provide at no cost, upon the request of affected individuals, either credit reports on a quarterly basis for at least two years or credit monitoring for two years (this does not apply if the only personal information at issue is a name associated with a credit or debit card number).
Importantly, the SAFE Data Act preempts all state laws concerning information security requirements and breach notification obligations.
Democrats offered many amendments to the bill, including expanding the definition of personal information and not preempting stronger state notification laws, but they were rejected by the subcommittee. Representative Henry Waxman (CA), who offered some of the rejected amendments, contends that the bill is filled with “loopholes that sacrifice data security and privacy.”