Today the Senate Judiciary Committee approved two federal data security bills, Senator Leahy’s S. 1490, the Personal Data Privacy and Security Act, and Senator Feinstein’s S. 139, the Data Breach Notification Act. Of course, there have been dozens of proposed federal breach notification bills over the past several years, from both sides of the aisle. Senator Leahy’s office issued this statement earlier today. While we cannot predict the fate of S. 1490 and S. 139, and we will have future occasion to comment on the bills in more detail, Tanya and I wanted to highlight a few notable provisions now.
S. 139 appears to greatly expand the categories of personal information that would result in a notice obligation in the event of a breach. Under the bill, “sensitive personally identifiable information” includes first name and last name in conjunction with any 2 of the following pieces of information: Home address or telephone number; Mother’s maiden name; or Month, day, and year of birth. This definition would significantly alter a company’s notice obligations under the current state regulatory scheme (most state follow California’s model, requiring notice only for breaches involving name in conjunction with Social Security number, driver’s license number, financial account number, and in some cases medical information). Under S. 139, a company that suffers a breach exposing only first and last name, address (or phone number) and date of birth would have notice obligations (subject to the risk of harm threshold incorporated into the bill, discussed below), including a requirement to notify the DOJ, resulting in further scrutiny. Moreover, this bill allows for fines up to $1,000 per day per impacted person (up to $1 million).
The bill would preempt State breach notification laws. Notably, unlike many State laws, there is a risk of harm threshold in the S. 139. This means that, where an organization’s risk assessment concludes that there is no significant risk of harm to the individual, notification may not be required (affected organizations must notify the Secret Service of their intention to invoke the exemption).
S. 1490, Senator Leahy’s Personal Data Privacy and Security Act, goes beyond breach notification. The bill addresses data security in a proactive, as opposed to reactive, manner. That is to say, it would require many organizations to put measures in place to secure information, and not merely require notice in the event of a security breach. The bill would, among other things, require any business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons, to implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities. There are similar requirements today for financial institutions under Gramm-Leach-Bliley and for health care providers under HIPAA. In addition, Massachusetts regulations scheduled to go into effect on March 1 would require a similar program for companies that own or license the data of Massachusetts residents. S. 1490 also would require these business entities to conduct risk assessments regarding data security measures and put in place measures such as encryption, access controls, redaction and disposal of sensitive personally identifiable information. It would mandate training and vulnerability testing. The bill, like Massachusetts and other state laws, also requires appropriate due diligence and contract terms with third party service providers. It would preempt state law.
Separately, and perhaps of even greater interest, S. 1490 would impose new disclosures on “data brokers” to, upon the request of an individual, disclose to such individual all personal electronic records pertaining to that individual maintained specifically for disclosure to third parties that request information on that individual in the ordinary course of business in the databases or systems of the data broker at the time of such request. The broker also would be required to provide notice of adverse action, similar to regulations governing users of credit reports under the Fair Credit Reporting Act. “Data brokers” is a term broadly defined to include any business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.
We will keep you posted.