It looks like we make actually get a federal data protection law, that includes breach notice requirements, this year. Such a law is long overdue; not only to protect personally identifiable information (PII), but also to help businesses to resolve their growing headaches involved with trying to comply with at least 36 state breach notice laws as well as dozens of other state level data protection and credit freeze laws, and multiple industry-specific data protection laws.
On May 3 the Senate Judiciary Committee approved two significant bills that would require businesses and federal agencies to notify individuals if their personal data is breached. It will be interesting to see if either gets passed into law; there are some significant concerns with the bills by various group. However, one specifically targeting PII breach notices looks to have a good shot.
At least the issue of protecting PII and making companies responsible for breaches is continuing to be discussed with bills getting further than in the past.
Bill S. 495, the “Personal Data Privacy and Security Act of 2007” is certainly a more comprehensive data security bill than has been proposed in the past, and it contains breach notice requirements.
* Companies failing to provide appropriate notification when a data breach occurs could face civil penalties of up to $1,000 per individual per day of violation, capped at $1 million, unless willful or intentional conduct is involved.
* The bill would preempt the existing 36 state data breach notice laws.
* The bill applies to “data brokers” and “data furnishers.” Data brokers are defined as,
“The term `data broker’ means a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.”
Data furnishers are defined as,
“DATA FURNISHER- The term `data furnisher’ means any agency, organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or nonprofit that serves as a source of information for a data broker.”
* “Sensitive” PII is defined as,
” (11) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term `sensitive personally identifiable information’ means any information or compilation of information, in electronic or digital form that includes–
(A) an individual’s first and last name or first initial and last name in combination with any 1 of the following data elements:
(i) A non-truncated social security number, driver’s license number, passport number, or alien registration number.
(ii) Any 2 of the following:
(I) Home address or telephone number.
(II) Mother’s maiden name, if identified as such.
(III) Month, day, and year of birth.
(iii) Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation.
(iv) A unique account identifier, electronic identification number, user name, or routing code in combination with any associated security code, access code, or password that is required for an individual to obtain money, goods, services, or any other thing of value; or
(B) a financial account number or credit or debit card number in combination with any security code, access code or password that is required for an individual to obtain credit, withdraw funds, or engage in a financial transaction.”
* A company’s risk assessment would have to be provided to the U.S. Secret Service in writing “without unreasonable delay,” but no later than 45 days after the discovery of the breach.
* An amendment by Sen. Dianne Feinstein would require the Secret Service to determine, no later than 10 business days after receiving a company’s notification, whether a notification exemption is granted. The amendment also would authorize the Secret Service to seek additional information from the company, if necessary.
* S. 495 would increase criminal penalties for identity theft involving electronic personal data and make it a crime to “intentionally or willfully” conceal a security breach involving PII.
* Other amendments would establish a new Office of Federal Identity Protection at the Federal Trade Commission (FTC) and provide increased protection under bankruptcy law for people who have incurred debt due to identity theft.
* S. 495 gives individuals access to and the opportunity to correct any personal information held by “commercial data brokers” and to require the government to establish rules protecting privacy and security when it uses information from commercial data brokers.
Yes, this is quite comprehensive and covers a lot of ground. A good effort, but because of the breadth of scope, this is likely to not get signed into law.
Bill S. 239, the “Notification of Risk to Personal Data Act of 2007” specifically addresses PII breach notification.
S. 239…
* Would require federal agencies and businesses to give individuals notice of data breaches of their personal information and announce a breach to the news media if it affected more than 5,000 individuals.
* Would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached contains more than one million entries, is owned by the federal government, or involves national security or law enforcement.
* Would require covered entities to work with the U.S. Secret Service to determine whether breach notice should be provided, as does S. 495. Notice to individuals would not be required if the Secret Service agreed that there was no significant risk of harm to an individual as a result of the breach of PII.
* Would preempt state breach notice laws, also as does S. 495. Would also preempt any conflicting federal law.
* Would require a federal agency or business entity to notify an individual of a security breach involving personal data without unreasonable delay.
* Would require media notice as well as individual notice:
* Would require a notice that includes a description of the type of PII breached and a toll-free number to call for more information;
* If more than 5,000 individuals must be notified, then the company or agency would have to coordinate with credit reporting agencies.
* Would allow for some exemptions for law enforcement and national security reasons.
* Would provide a safe harbor if a risk assessment determines there is “no significant risk of harm to individuals” and the Secret Service does not overrule that conclusion.
* Would not require notice for breaches that involve only credit card numbers, if the credit card issuer uses a security program that is designed to prevent financial fraud and provides for notice when a security breach leads to fraudulent transactions.
* Would authorize the U.S. Attorney General and state Attorneys General to bring civil actions and impose penalties for violations of the notice requirement.
The definitions and covered entities are the same as in S. 495.
Feinstein said the meaning of the term “harm” was intentionally left open in S. 239 to include a broad range of problems that could result from a data breach, including stalking and blackmail, as well as identity theft.
Unlike S. 495, S. 239 does not have a requirement that businesses file a risk assessment report with the government.
Companies would also be allowed to assess breaches on their own, without government oversight.
It is pretty clever that S. 239 was also introduced; I think it will be much harder to get S. 495 passed. And as Feinstein indicated, we need a federal breach notice law as soon as possible; not only to help provide legal recourse and more consistent notification for the many PII breaches that continue to occur, but also to consolidate the 36 existing state laws into one set of rules for businesses to follow. Trying to comply with so many different state laws is creating significant headaches, and costing too much time and resources, for businesses to try and address. Having one federal law for *ALL* companies that handle PII to follow just makes sense.
The requirements to have the Secret Service give approval for breach notice waivers is interesting; since when has the Secret Service been confidently considered as a repository of information security and privacy expertise? Why not the FTC?
Right now, though, very few of the U.S. government agencies are getting much confidence from the public for their data protection practices.
Tags: awareness and training, breach notice, data protection, Feinstein, government, identity theft, Information Security, IT compliance, policies and procedures, privacy