House Passes Data Accountability and Trust Act (DATA)
On December 8, 2009, the Data Accountability and Trust Act -- HR 2221(DATA) moved one step closer to law by passing the House of Representatives. DATA is sponsored by Congressman Bobby Rush (D-IL). Note that the InfoLawGroup has previously commented on similar data security bills currently pending in the Senate. The DATA in Congress has similar elements as Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, including not only breach notice obligations, but also information security policy requirements.
Both the Leahy and Rush bills also impose increased obligations on "information brokers," defined as follows in the Rush bill:
(6) INFORMATION BROKER- The term `information broker'--
(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and
(B) does not include a commercial entity to the extent that such entity processes information collected by and received from a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers.
(the Leahy bill uses the term "data broker", but has a similar definition). Information brokers would be required to submit their security policies to the FTC in the event their breach notice obligations where triggered. Moreover, the DATA imposes obligations on information brokers concerning data accuracy, data access and disputed data. Information brokers would also be required to maintain audit logs or similar measures "which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker."
While sometimes touted as a "national" data security law, the DATA appears to apply only to those entities regulated by the FTC:
The requirements of sections 2 and 3 shall only apply to those persons, partnerships, or corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act.
As such, it would not appear to apply to financial institutions, insurance companies, governmental bodies or common carriers (e.g. telecommunications companies or transportation companies).
Please note, while passage of DATA by the House is a major milestone, there may still be a long way before DATA becomes law. The Senate will have to pass their version of the bill and then it would have to go through reconciliation. Stay tuned.
Will 2010 See the Enactment of a Comprehensive Federal Data Security Law?
Today the Senate Judiciary Committee approved two federal data security bills, Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, and Senator Feinstein's S. 139, the Data Breach Notification Act. Of course, there have been dozens of proposed federal breach notification bills over the past several years, from both sides of the aisle. Senator Leahy's office issued this statement earlier today. While we cannot predict the fate of S. 1490 and S. 139, and we will have future occasion to comment on the bills in more detail, Tanya and I wanted to highlight a few notable provisions now.
S. 139 appears to greatly expand the categories of personal information that would result in a notice obligation in the event of a breach. Under the bill, “sensitive personally identifiable information” includes first name and last name in conjunction with any 2 of the following pieces of information: Home address or telephone number; Mother's maiden name; or Month, day, and year of birth. This definition would significantly alter a company's notice obligations under the current state regulatory scheme (most state follow California's model, requiring notice only for breaches involving name in conjunction with Social Security number, driver's license number, financial account number, and in some cases medical information). Under S. 139, a company that suffers a breach exposing only first and last name, address (or phone number) and date of birth would have notice obligations (subject to the risk of harm threshold incorporated into the bill, discussed below), including a requirement to notify the DOJ, resulting in further scrutiny. Moreover, this bill allows for fines up to $1,000 per day per impacted person (up to $1 million).
The bill would preempt State breach notification laws. Notably, unlike many State laws, there is a risk of harm threshold in the S. 139. This means that, where an organization's risk assessment concludes that there is no significant risk of harm to the individual, notification may not be required (affected organizations must notify the Secret Service of their intention to invoke the exemption).
S. 1490, Senator Leahy's Personal Data Privacy and Security Act, goes beyond breach notification. The bill addresses data security in a proactive, as opposed to reactive, manner. That is to say, it would require many organizations to put measures in place to secure information, and not merely require notice in the event of a security breach. The bill would, among other things, require any business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons, to implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities. There are similar requirements today for financial institutions under Gramm-Leach-Bliley and for health care providers under HIPAA. In addition, Massachusetts regulations scheduled to go into effect on March 1 would require a similar program for companies that own or license the data of Massachusetts residents. S. 1490 also would require these business entities to conduct risk assessments regarding data security measures and put in place measures such as encryption, access controls, redaction and disposal of sensitive personally identifiable information. It would mandate training and vulnerability testing. The bill, like Massachusetts and other state laws, also requires appropriate due diligence and contract terms with third party service providers. It would preempt state law.
Separately, and perhaps of even greater interest, S. 1490 would impose new disclosures on “data brokers” to, upon the request of an individual, disclose to such individual all personal electronic records pertaining to that individual maintained specifically for disclosure to third parties that request information on that individual in the ordinary course of business in the databases or systems of the data broker at the time of such request. The broker also would be required to provide notice of adverse action, similar to regulations governing users of credit reports under the Fair Credit Reporting Act. “Data brokers” is a term broadly defined to include any business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.
We will keep you posted.
