October 22, 2019

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

(Another) Federal Data Breach Notification Law Introduced in Congress

Senate Democrats have introduced a third iteration of a federal data breach notification bill, the Data Security and Breach Notification Act of 2017 (S.B. 2179). If passed into law, this bill would replace the patchwork of 48 separate state breach notification laws and standardize breach reporting requirements, which currently vary from state to state.

Introduced by Sen. Bill Nelson (D-FL) and cosponsored by Sen. Richard Blumenthal (D-CT) and Sen. Tammy Baldwin (D-WI), the Data Security and Breach Notification Act would apply to companies that acquire, maintain or use consumers’ personal information. The bill’s definition of “personal information” is slightly broader than the corresponding definition under many state laws, and includes, for example, Social Security Numbers on their own, and names in combination with the following identifiers:

  • Government identification number, such as a driver’s license or passport

  • Unique biometric data, such as a finger print, voice recording or retina image

  • User names and passwords for access to anything of value

  • Any two of the following: home address or telephone number, mother’s maiden name or date of birth.

Financial entities that are in compliance with the Gramm-Leach-Bliley Act or covered entities in compliance with the HIPAA Security Rule would not be covered.

Most notably, the bill requires that companies notify individuals and the Federal Trade Commission within 30 days of discovering a data breach that involves consumers’ personal information. This is a significantly shorter notification period than most state laws, which require notification within 45 or 60 days, or even the HIPAA Breach Notification Rule, which requires breaches be reported no later than 60 days after detection. Where more than 5,000 individuals are affected, the credit reporting agencies must be notified as well. Notice to a designated government entity also will be required in any of the following circumstances:

  • The breach affects more than 10,000 individuals

  • The breach involves a database containing the personal information of more than one million individuals

  • The breach involves databases owned by the federal government

  • The affected individuals are government employees or contractors involved in national security or law enforcement.

The designated government entity will provide the notices it receives to the U.S. Secret Service, the Federal Bureau of Investigation, the Federal Trade Commission, the attorney general of each state where affected individuals reside and the U.S. Postal Inspection Service if the breach involves mail fraud.

If a company can reasonably conclude that there is no risk of identity theft, fraud or other unlawful conduct as a result of the breach, it would be exempt from the bill’s notification requirements. Under the bill, there is a presumption of no reasonable risk of identity theft or fraud if the data is rendered “unusable, unreadable, or indecipherable through a security technology or methodology” that is generally accepted by information security experts. The National Institute of Standards and Technology (NIST) is charged with identifying adequate security technologies and methodologies. Overall, as this risk-of-harm exemption is not currently available under all state laws, it represents a more business-friendly change and limits the risk of over-notification to consumers.

Additionally, the bill imposes significant penalties of fines and up to five years in prison on executives of companies that “intentionally and willfully” conceal and fail to report a data breach. This comes in the wake of highly publicized data breaches that saw companies delay notifying consumers that their personal and financial information had been compromised. States’ attorneys general also have the right to bring a civil action on behalf of their residents to obtain civil monetary penalties of up to $11,000 per day for each day that the company is noncompliant.

The bill also would require companies to develop procedures to assess “reasonably foreseeable” system vulnerabilities and methods for disposing of data that is no longer being used through destruction or rendering it unreadable. The FTC would establish these new security standards and provide incentives to companies that implement technology that would render consumer data “unusable or unreadable if stolen during a breach.”

© 2019 Wilson Elser

TRENDING LEGAL ANALYSIS


About this Author

Gregory Bautista, Wilson Elser, Civil Litigation Lawyer, Data Privacy matters Attorney
Partner

Gregory Bautista is an experienced civil litigator with a focus on data breach response. He is keenly aware of the growing importance of assisting clients in developing and implementing data security risk management measures related to the receipt and use of highly sensitive and confidential data. Greg provides his clients with knowledge and guidance on information governance and e-discovery matters. He has embraced the concept of information governance, which melds the disciplines that exist in all businesses into a powerful enterprise-wide strategy.

914.872.7839
Jeremy Merkel, White Plains Attorney, cybersecurity, data management, wilson Elser law firm
Associate

Jeremy Merkel focuses his practice in the areas of cyber security and information governance in the context of the significant challenges presented by the management of data across the information life cycle. He helps client address regulatory requirements, privacy laws and litigation obligations, while leveraging their data in support of operational requirements.

Jeremy gained considerable experience with technology and the law through positions at Facebook, the Federal Trade Commission and Harvard's Berkman Klein Center for Internet & Society. He also served as a legal intern on the executive leadership team in the Office of the Attorney General of New Jersey. Prior to joining Wilson Elser, he was an associate at a boutique civil litigation firm in New York City. Jeremy has been a social services volunteer tax preparer for a number of years.

914.872.7389
Alex Moh, Wilson Elser, Cyber Information Insurance, professional liability Lawyer,
Associate

Alex Moh represents international and domestic insurers in commercial insurance matters related to various specialty and professional lines of insurance. His practice includes professional liability, directors and officers, employment practices liability, cyber, general liability, fidelity, and property insurance. Alex has experience working with insureds ranging from financial institutions, technology startups and law firms to architects and engineers, real estate professionals, and insurance agents and brokers. In addition, Alex counsels insurers in drafting policies...

212-915-5267