National Data Breach Legislation Advances in House Subcommittee
As the number of high profile data breaches increase, there is mounting pressure on Congress to create a more unified regulatory standard governing company actions in response to a data breach.
In response to the growing calls for Congressional action, several competing legislative proposals have been introduced in Congress, including legislation promoted in President Obama’s State of the Union address (discussed here). Separately, on March 25, 2015, the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation entitled the “Data Security and Breach Notification Act of 2015” (the “Draft Legislation”). Although not yet formally introduced in the House, this Draft Legislation moves a step closer to creating a national standard for data security and data breach response that would override much of the existing state law framework.
Currently, 47 separate state laws regulate a company’s response to a data breach. Each of them imposes various mitigation and response measures. To add to the complexity, existing state laws are triggered based on the state of residence of affected individuals and the states in which companies conduct business. Thus, companies find themselves having to navigate a complex web of regulatory obligations in response to most data breaches.
The Draft Legislation aims to streamline the current set of requirements and, if enacted into law, would have the following effects:
Data Security Requirements
The Draft Legislation requires businesses to implement and maintain “reasonable security measures” and practices to protect an individual’s personal information stored in electronic form. It does not define “reasonable security measures” and does not enumerate any factors to guide the “reasonableness” analysis. This may leave businesses struggling to understand what specific security measures they must implement to avoid penalties under this provision.
Breach Notification Requirements
The Draft Legislation provides that upon discovery of a “breach of security” (a standard that is specifically defined), the business must perform a prompt and good faith investigation of the incident to determine whether there is a reasonable risk of harm to consumers.
A business must notify affected consumers of a breach of security as expeditiously as possible, in any event within 30 days after the business takes necessary measures to determine the scope of the breach of security and restore its data systems, unless the business determines that there is no reasonable risk of identity theft or financial harm to the consumer.
If the incident involves 10,000 or more persons, the business must additionally notify (1) the Federal Trade Commission, (2) the FBI or Secret Service, and (3) the national consumer reporting agencies.
While current breach notice statutes include similar requirements, the Draft Legislation would standardize company reporting timeframes, thresholds that trigger notice obligations and agencies that must be notified, eliminating the web of complex obligations presented under the current state law framework.
Enforcement and Statutory Liability
The Draft Legislation, if passed, would be enforceable by the Federal Trade Commission and state attorneys general. Maximum total liability under the Draft Legislation is capped as follows:
- $2.5 million for violations of the notification requirements relating to a single breach of security that results in (or if there is a reasonable basis to conclude has resulted in) unauthorized access to or acquisition of personal information, and
- $2.5 million per violation of the data security requirements.
It appears as though a company could be responsible for maximum liability under both standards in the context of a single breach, raising the effective aggregate cap amount to $5 million.
One Unified Standard at the State Level
The Draft Legislation would preempt or override all existing state notification laws, including state laws that are more protective of affected individuals. It would not, however, preempt HIPAA or most other federal industry specific data security and data breach response laws. The extent to which the Draft Legislation will override existing state laws promises to be a hotly debated topic as the discussion in Congress continues.