SearchSecurity.com Interview on the Data Accountabilituy and Trust Act
For those interested, I was recently interviewed by SearchSecurity.com concerning the Data Accountability and Trust Act ("DATA") passed in the House in December 2009. While I might not be cut out for a career in broadcasting, hopefully the information I provided is useful. If you would like more information, the Information Law Group has written several times on DATA and similar legislation pending in the Senate.
The Breach Notification Obligations in the Data Accountability and Trust Act
The Information Law Group has been following various Federal data security bills as they wind their way through the House and Senate. In December 2009, the Information Law Group commented on the passage of the Data Accountability and Trust Act ("DATA") by the House. I was recently asked by Data Protection Law and Policy (an excellent publication out of the UK focusing on data security and privacy issues) to take a closer look at the data breach obligations of the current version of DATA. The end result was my article entitled: "Potential changes to the US breach notice risk landscape".
In summary, my article discusses some of the similarities and differences between the current state-created breach notice regime and the system set forth under the proposed DATA law. DATA is interesting because it appears to create counter-opposing breach notice incentives. On the one had, there are mechanisms that could lead to less breach reporting, including:
- a "risk of harm" standard that is likely higher than many existing State laws;
- preemption of existing state law, which eliminates the "least common denominator" approach taken with respect to existing state law; and
- mandating call center and credit monitoring costs (e.g. these costs may be significant, and therefore encourage non-compliance, especially if enforcement is lax)
On the other hand, DATA allows for the imposition of civil penalties of up $11,000 per violation (capped at $5 million). Each failure to send the required notification to an affected individual is treated as a separate violation. Depending on how vigorously the law is enforced, the risk of significant civil penalties is likely to encourage compliance.
How these factors would play out is unclear and up for debate. However, what is even more unclear is whether DATA will ever be made into a law. The Senate is working on a similar bill, and assuming it passes the Senate it would still have to be reconciled with the House version. Consumer advocates will likely have concerns about the higher risk of harm threshold in the law. On the business side, I anticipate great resistance to call center and credit monitoring as mandatory costs. Moreover, the penalties for non-compliance may be problematic, especially for smaller and medium organizations. As such, should DATA become a law, it is likely to differ from this version.
House Passes Data Accountability and Trust Act (DATA)
On December 8, 2009, the Data Accountability and Trust Act -- HR 2221(DATA) moved one step closer to law by passing the House of Representatives. DATA is sponsored by Congressman Bobby Rush (D-IL). Note that the InfoLawGroup has previously commented on similar data security bills currently pending in the Senate. The DATA in Congress has similar elements as Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, including not only breach notice obligations, but also information security policy requirements.
Both the Leahy and Rush bills also impose increased obligations on "information brokers," defined as follows in the Rush bill:
(6) INFORMATION BROKER- The term `information broker'--
(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and
(B) does not include a commercial entity to the extent that such entity processes information collected by and received from a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers.
(the Leahy bill uses the term "data broker", but has a similar definition). Information brokers would be required to submit their security policies to the FTC in the event their breach notice obligations where triggered. Moreover, the DATA imposes obligations on information brokers concerning data accuracy, data access and disputed data. Information brokers would also be required to maintain audit logs or similar measures "which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker."
While sometimes touted as a "national" data security law, the DATA appears to apply only to those entities regulated by the FTC:
The requirements of sections 2 and 3 shall only apply to those persons, partnerships, or corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act.
As such, it would not appear to apply to financial institutions, insurance companies, governmental bodies or common carriers (e.g. telecommunications companies or transportation companies).
Please note, while passage of DATA by the House is a major milestone, there may still be a long way before DATA becomes law. The Senate will have to pass their version of the bill and then it would have to go through reconciliation. Stay tuned.
