Potential Legislation on the Horizon Following Major Data Breaches
In the wake of several major data breaches over the last several months, new data security and data breach notification bills have been introduced in the US Congress, and others may also be in progress.
Two key bills currently introduced are:
Bill S. 1815, the Data Broker Accountability and Transparency Act of 2017 (DBAT Act), which would set new accountability and transparency requirements for data brokers selling consumers’ sensitive information; and
Bill H.R. 3806, the Personal Data Notification and Protection Act of 2017 (PDNP Act), which would provide for a single national data breach notification standard.
Data Broker Accountability and Transparency Act Summary
The DBAT Act, introduced in the US Senate on September 14, would
impose requirements on data brokers to develop comprehensive privacy and security programs and to provide reasonable notice of any data breach to consumers;
allow consumers to access their personal information stored by data brokers in order to correct any inaccuracies; and
provide consumers with the right to opt out from having their personal data sold by data brokers for marketing purposes.
The Federal Trade Commission (FTC) would be granted the power to enforce the act and, within a year following enactment, promulgate regulations that would include establishing a centralized website for consumers that would list covered data brokers and information regarding their rights under the act.
Personal Data Notification and Protection Act Summary
The PDNP Act was introduced in the US House of Representatives on September 18, and would replace all 48 state data breach notification laws with one national standard. The legislation would require companies to notify affected individuals of a breach of sensitive personal information within 30 days of the discovery of the breach. The FTC would also be required to help coordinate such notification.
As proposed, notices sent to individuals in the case of a breach must include (i) a description of the sensitive personal information accessed by unauthorized persons; (ii) toll-free telephone numbers for reaching the company, major credit reporting agencies, and the FTC; and (iii) any information regarding victim protection assistance required by each individual’s state of residence.
Certain exceptions under the PDNP Act would include exemptions and permissible delays for national security and law enforcement, as well as a safe harbor for business entities that conduct risk assessments that conclude there is no reasonable risk that a security breach has harmed (or will harm) individuals whose personally sensitive information has been breached.