Analysis of White House Data Breach Notification Bill
On Monday, President Obama announced his proposal of the Personal Data Notification & Protection Act, which would set nationwide rules for data breach notifications and preempt the patchwork of state breach notification laws.
The White House has since released the text of the nine-page bill. Below is an overview of the key provisions of the White House proposal, compared with the five breach notification bills that were introduced in the Senate last year: the Data Security and Breach Notification Act, Toomey (R-PA); Personal Data Privacy and Security Act, Leahy (D-VT); Data Security Act, Carper (D-DE) and Blunt (R-MO); Data Security and Breach Notification Act, Rockefeller (D-WV); and Personal Data Protection and Breach Accountability Act, Blumenthal (D-CT).
The White House breach notification proposal contains many elements of bills that already have been introduced, but there are some key differences. The White House bill generally applies to a broader range of categories of personal information than many of the other bills. But the White House proposal also contains exceptions for breaches that do not pose an immediate risk of harm, and for small businesses that do not process large amounts of personal information.
“Sensitive Personally Identifiable Information” means “any information or compilation of information, in electronic or digital form, that includes:
(1) an individual’s first and last name or first initial and last name in combination with any two of the following three data elements:
(a) home address or telephone number
(b) Mother’s maiden name; or
(c) full birth date;
(2) a non-truncated social security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number;
(3) unique biometric data such as finger print, voice print, retina or iris image, or any other unique physical representation;
(4) a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code;
(5) a user name or email address, in combination with a password or security question/answer that would permit access to an online account; or
(6) any combination of the following three data elements:
(a) an individual’s first and last name or first initial and last name;
(b) a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; or
(c) any security code, access code, or password, or source code that could be used to generate such codes or passwords.
The White House proposal allows the Federal Trade Commission to amend the definition of “sensitive personally identifiable information” if the Commission determines that any particular combinations of information are sensitive, or that any particular piece of information, on its own, is sensitive.
The White House definition of covered information is broader than those in many of the bills introduced in Congress. For instance, the Toomey bill only would cover three categories of information (social security numbers, government identification card numbers such as drivers licenses, and financial account numbers with security codes), and only if they are disclosed along with an individual’s name. Even the Rockefeller bill, which is considered among the most expansive proposals, only would have covered the disclosure of passport and driver’s license numbers if they were disclosed along with an individuals’ names. The White House bill, in contrast would cover those numbers even if they were not accompanied by the individuals’ names.
Risk of Harm
The White House bill exempts businesses from the individual notice requirements if a risk assessment concludes that “there is no reasonable risk that a security risk has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.” If the data is unusable, unreadable, or indecipherable data, there is a presumption that there is not a reasonable risk. If a business makes this determination, it must notify the Commission of the results and its decision, in writing, within 30 days.
The White House’s risk-of-harm threshold is similar to those found in many of the other federal proposals and state laws, but the requirement to provide the risk-of-harm analysis to a regulator departs from most state laws and could be concerning to the business community. Among the 47 states that have adopted breach notice laws, only Alaska, Florida and Vermont contain similar requirements.
Exceptions from coverage
Under the White House bill, the requirement to notify individuals applies only to businesses engaged in interstate commerce that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information about more than 10,000 individuals during a 12-month period. This provision is relatively unique, and would exempt some small businesses from the individual notice requirement.
Businesses that are required to provide health-related breach notifications under the Health Information Technology for Economic and Clinical Health Act also are not exempt from these requirements.
Form of individual notice
The White House bill requires businesses to provide both individual notice and media notice.
Mailed or telephone notice satisfies the individual notice requirement. Email notice also is sufficient if the individual has consented to receive such notice and the notice is consistent with the federal ESIGN Act.
Media notice also is required if the breach resulted in disclosure of sensitive personally identifiable information of more than 5,000 individuals in a state. The notice to the media must be “reasonably calculated to reach such individuals, such as major media outlets serving a State or jurisdiction.” This would be a significant departure from existing state laws, which only require media notice as a form of alternative notice.
Deadline for individual notice
Under President Obama’s proposal, a business must provide individual notice within 30 days of discovering the security breach. A business may request additional time from the Commission if it can demonstrate that the extension is reasonably necessary to determine the breach’s scope, prevent further information disclosures, conduct a risk assessment, restore the integrity of the data, or provide notice to federal law enforcement.
Notice to government
The White House bill requires businesses to notify federal law enforcement and national security authorities of a data breach if:
(1) the sensitive personally identifiable information of more than 5,000 individuals was accessed or acquired;
(2) the breach involved a data system containing sensitive personally identifiable information of more than 500,000 individuals nationwide;
(3) the breach involves databases owned by the federal government;
(4) the breach primarily involves sensitive personally identifiable information of federal employees and contractors who are involved in national security and law enforcement.
This requirement is similar to government notice provisions in other proposals, including the Blumenthal and Leahy bills.
Notice to credit reporting agencies
If a breach involved more than 5,000 individuals, businesses also must notify all consumer reporting agencies of the timing and distribution of the notices within 30 days, unless they receive an extension from the FTC. Previous legislation has contained similar proposals.
Under President Obama’s proposal, the FTC, in consultation with the U.S. Attorney General, may initiate an investigation into a business’s compliance with the law. State attorney generals also may bring civil actions on behalf of their residents, seeking injunctive relief or civil penalties of up to $1,000 per day per individual, with a maximum $1 million per violation unless the conduct has been found to be willful or intentional. Before bringing an action under this law, a state attorney general would be required to notify both the FTC and U.S. Attorney General. Unlike the Blumenthal bill, the White House proposal does not provide a private right of action for individuals.
Like most of the previous federal proposals, the White House bill would preempt state laws that require businesses to notify customers of data breaches. But states still would be allowed to require notices to include information regarding state-provided victim protection assistance.