June 4, 2020

June 04, 2020

Subscribe to Latest Legal News and Analysis

June 03, 2020

Subscribe to Latest Legal News and Analysis

June 02, 2020

Subscribe to Latest Legal News and Analysis

Potential Legislation on the Horizon Following Major Data Breaches

In the wake of several major data breaches over the last several months, new data security and data breach notification bills have been introduced in the US Congress, and others may also be in progress.

Two key bills currently introduced are:

  • Bill S. 1815, the Data Broker Accountability and Transparency Act of 2017 (DBAT Act), which would set new accountability and transparency requirements for data brokers selling consumers’ sensitive information; and

  • Bill H.R. 3806, the Personal Data Notification and Protection Act of 2017 (PDNP Act), which would provide for a single national data breach notification standard.

Data Broker Accountability and Transparency Act Summary

The DBAT Act, introduced in the US Senate on September 14, would

  • impose requirements on data brokers to develop comprehensive privacy and security programs and to provide reasonable notice of any data breach to consumers;

  • allow consumers to access their personal information stored by data brokers in order to correct any inaccuracies; and

  • provide consumers with the right to opt out from having their personal data sold by data brokers for marketing purposes.

The Federal Trade Commission (FTC) would be granted the power to enforce the act and, within a year following enactment, promulgate regulations that would include establishing a centralized website for consumers that would list covered data brokers and information regarding their rights under the act.

Personal Data Notification and Protection Act Summary

The PDNP Act was introduced in the US House of Representatives on September 18, and would replace all 48 state data breach notification laws with one national standard. The legislation would require companies to notify affected individuals of a breach of sensitive personal information within 30 days of the discovery of the breach. The FTC would also be required to help coordinate such notification.

As proposed, notices sent to individuals in the case of a breach must include (i) a description of the sensitive personal information accessed by unauthorized persons; (ii) toll-free telephone numbers for reaching the company, major credit reporting agencies, and the FTC; and (iii) any information regarding victim protection assistance required by each individual’s state of residence.

Certain exceptions under the PDNP Act would include exemptions and permissible delays for national security and law enforcement, as well as a safe harbor for business entities that conduct risk assessments that conclude there is no reasonable risk that a security breach has harmed (or will harm) individuals whose personally sensitive information has been breached.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Rahul Kapoor, Intellectual property lawyer, Morgan Lewis

With a focus on commercial, intellectual property (IP), and technology transactions, Rahul Kapoor counsels clients on strategic alliances, joint ventures, and corporate partnering transactions in the technology and life science industries. He also handles standards body licensing structures, patent licensing, open source software strategy, e-commerce and privacy, supply and distribution agreements, consignment agreements, spinoffs and core technology licenses, and IT outsourcing transactions. Rahul is a member of the firm’s Advisory Board, leader of the India initiative...

Valerie A. Gross, Business Technology Attorney, Morgan Lewis

Valerie A. Gross focuses her practice on business technology transactions, including technology and business process outsourcing; systems integration; commercial agreements, including professional services and consulting agreements; and licensing and other technology-related agreements.