Many of us have watched over the past few years as dozens of proposed federal data security and breach notification bills have been introduced, often with bipartisan support, but have failed to become law. This year has seen many of the usual proposals. For those of you keeping track, this year’s bills include: Rep. Rush’s Data Accountability and Trust Act — HR 2221; Sen. Leahy’s Personal Data Privacy and Security Act – S. 1490; Sen. Feinstein’s Data Breach Notification Act – S. 139; and Sens. Carper’s and Bennett’s "Data Security Act of 2010" – S. 3579. However, 2010 has also seen new and expansive proposals for broad and far-reaching data privacy legislation, including Rep. Boucher’s "discussion draft" and Rep. Rush’s "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (or “BEST PRACTICES Act”).
Most recently, on August 5, Sens. Pryor and Rockefeller introduced the "Data Security and Breach Notification Act of 2010" – S. 3742 (hereinafter "S. 3742" or the "Act"). S. 3742 is much more akin to the more traditional proposed breach notification and data security legislation mentioned above, and not nearly as ambitious as the draft Boucher Bill or the BEST PRACTICES Act. This post summarizes the key provisions in S. 3742.
Who is Covered
The proposed legislation would apply to persons and entities over which the FTC has authority AND non-profits.
Definition of Personal Information
Interestingly, the proposed definition of personal information looks like the traditional definition used in this country and not the more expansive definitions proposed in the Boucher Bill and BEST PRACTICES ACT. The bill defines personal information as "an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number. (ii) Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account."
However, the bill would allow the FTC to modify this definition by rulemaking (a) for purposes of the information security program and information broker provisions to the extent that the modification would not unreasonably impede interstate commerce and would accomplish the purposes of this Act; or (b) for purposes of the breach notification requirements to the extent that the modification is necessary to accommodate changes in technology or practices, would not unreasonably impede interstate commerce, and would accomplish the purposes of this Act.
S. 3472 would preempt any state law that expressly (1) requires information security practices and treatment of data containing personal information similar to any of those required by the bill; and (2) requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information. The Act also makes clear that no person other than State Attorneys General may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of the Act.
Information Security Policies, Procedures and Programs
Like several of the other proposed federal bills, S. 3742 would require the FTC to promulgate regulations to require every covered entity that owns or possesses data containing personal information, or contracts to have any third party entity maintain such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information. Reminiscent of some existing state and sectoral privacy and data security laws, this bill would require that such policies and procedures take into consideration (a) the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity; (b) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (c) the cost of implementing such safeguards.
Such policies and procedures would include (a) a security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information; (b) the identification of an officer or other individual as the point of contact with responsibility for the management of information security; (c) a process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by the covered entity, including regular monitoring for a breach of security; (d) a process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process, which might include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software; (e) a process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or indecipherable; and (f) a standard method or methods for the destruction of paper documents and other non-electronic data containing personal information.
All of this sounds very similar to the Gramm-Leach-Bliley Act and Massachusetts’ data security regulations, 201 CMR 17.00 et seq. (which took effect in March of this year) and therefore should not come as a surprise to most national or multinational organizations.
Special Requirements for Information Brokers
Not unlike the Leahy bill, S. 1490, S. 3472 includes a number of provisions that impose additional burdens and requirements on the collection, use, and disclosure of information by "information brokers." These requirements include accuracy, access, and dispute requirements similar to the Fair Credit Reporting Act’s (FCRA) requirements for consumer reporting agencies. Indeed, the bill explicitly provides that information brokers engaged in activities subject to FCRA and who are in compliance with sections 609, 610, and 611 of FCRA shall be deemed to be in compliance with certain of the bill’s information broker provisions.
So the first question is – well, who is an "information broker"? An "information broker" under the bill:
(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and
(B) does not include a commercial entity to the extent that such entity processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party directly or through parties acting on its behalf to: (1) provide benefits for its employees; or (2) directly transact business with its customers.
The bill explicitly exempts from its information broker provisions "a service provider for any electronic communication by a third party to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication."
Information brokers would be required to submit their security policies to the FTC in conjunction with a notification of a breach of security or upon request of the Commission. Further, for any information broker required to provide notification of a security breach, the proposed legislation gives the FTC authority to conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker’s security practices during the preceding 5 years).
In addition, information brokers would be required, with certain limited exceptions, to establish reasonable procedures to assure the maximum possible accuracy of the information they collect, assemble, or maintain regarding individuals other than information which merely identifies an individual’s name or address.
The bill also would require information brokers to provide to each individual whose personal information they maintain, at the individual’s request at least one time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review their information, and to place a conspicuous notice on their websites instructing individuals how to request access to such information and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes. (This refers to another portion of the bill that requires an information broker that maintains any information which is used, shared, or sold by such information broker for marketing purposes to, in lieu of complying with the normal access and dispute requirements, provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual’s information for marketing purposes.)
Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, would be required to correct any inaccuracy. There are exceptions to the access and dispute requirements in certain limited circumstances.
Information brokers would also be required to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information that they collect, assemble, or maintain.
The bill includes anti-pretexting provisions that would make it unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by (i) making a false, fictitious, or fraudulent statement or representation to any person; or (ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.
Breach Notification Requirements
The breach notification provisions of S. 3742 would require that any covered entity that owns or possesses data in electronic form containing personal information, not later than 60 days following the discovery of a breach of security of the system maintained by such covered entity that contains such data, (1) notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security; and (2) notify the FTC. The bill requires that a covered entity notify the major national credit reporting agencies of the timing and distribution of the notices if the covered entity must provide notification to more than 5,000 individuals. Such notice must be provided prior to distribution of the notices to affected individuals if it will not delay notice to those individuals.
Before discussing in detail the breach notification requirements, it is important to note a major exemption and presumption built into the bill. There is a risk of harm threshold in this bill. A covered entity is exempt from the requirements if, following a breach of security, such covered entity determines that there is "no reasonable risk of identity theft, fraud, or other unlawful conduct." Significantly, and reminiscent of the breach notification provisions in the HITECH Act, if the data in electronic form containing personal information is rendered unusable, unreadable, or indecipherable through a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field), there would be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the security technologies or methodologies in a specific case, have been or are reasonably likely to be compromised.
It is clear that encryption is only one such technology or methodology anticipated by the bill. The bill directs that, not later than one year after the date of the enactment and biannually thereafter, the Commission, after consultation with the National Institute of Standards and Technology (NIST), relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies, issue rules or guidance to identify security methodologies or technologies, such as encryption, which render data in electronic form unusable, unreadable, or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data.
The law would require provision of two years of credit monitoring services. A covered entity required to provide notification must, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual (A) consumer credit reports from at least one of the major credit reporting agencies beginning not later than 60 days following the individual’s request and continuing on a quarterly basis for a period of 2 years thereafter; or (B) a credit monitoring or other service that enables consumers to detect the misuse of their personal information, beginning not later than 60 days following the individual’s request and continuing for a period of 2 years. (There is an exception if the only personal information which has been the subject of the security breach is the individual’s first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.) As part of the FTC’s obligation to promulgate regulations on breach notification, the FTC must "establish a simple process under which a covered entity that is a small business or small non-profit organization may request a partial waiver or a modified or alternative means of responding if providing or arranging for such reports, monitoring, or service is not feasible due to excessive costs relative to the resources of the small business or small non-profit entity and the level of harm to consumers caused by the data breach."
The notification to individuals must include:
(i) the date, estimated date, or estimated date range of the breach of security;
(ii) a description of the personal information that was acquired or accessed by an unauthorized person;
(iii) a telephone number that the individual may use, at no cost to such individual, to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual;
(iv) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, or credit monitoring or other service that enables consumers to detect the misuse of their personal information for a period of 2 years, and instructions to the individual on requesting such reports or service from the covered entity, except when the only information which has been the subject of the security breach is the individual’s first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code;
(v) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and
(vi) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.
In the event of a breach of security of the system maintained by any third party entity contracted to maintain or process data in electronic form containing personal information on behalf of any other covered entity who owns or possesses such data, such third party entity would be required to notify the covered entity of the breach of security.
Interestingly, the bill includes special provisions for "service providers," defined as covered entities "that provide electronic data transmission, routing, intermediate and transient storage, or connections to [their] system or network, where the covered entit[ies] providing such services do not select or modify the content of the electronic data, [are] not the sender or the intended recipient of the data, and such covered entit[ies] transmit, route, store, or provide connections for personal information in a manner that personal information is undifferentiated from other types of data that such covered entity transmits, routes, stores, or provides connections." For breach notification purposes, the bill provides that, if a service provider becomes aware of a breach of security of data in electronic form containing personal information that is owned or possessed by another covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider is required to notify only the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.
Notification of individuals may be delayed if a covered entity can show that providing notice within 60 days of discovery is not feasible due to circumstances necessary to accurately identify affected consumers, or to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system, in which case the notification must be made as promptly as possible. As in most federal proposed bills and many existing state breach notification laws, if a law enforcement agency determines that the notification would impede a civil or criminal investigation, notification must be delayed upon the written request of the law enforcement agency (in this case for 30 days or such lesser period of time which the law enforcement agency determines is reasonably necessary and requests in writing). A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request if further delay is necessary. Similarly, if a Federal national security agency or homeland security agency determines that the notification would threaten national or homeland security, notification may be delayed for a period of time which the national security agency or homeland security agency determines is reasonably necessary and requests in writing. The agency may revoke such delay or extend the period of time set forth in the original request by a subsequent written request if further delay is necessary.
Notification must be provided in writing by mail (or email under certain circumstances). Substitute notification is allowed if the covered entity owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals and such direct notification is not feasible due to (i) excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity, as determined in accordance with the regulations issued by the FTC or lack of sufficient contact information for the individual required to be notified. Like California’s SB 1386 (Civil Code section 1798.82), such substitute notification must include (i) e-mail notification to the extent that the covered entity has e-mail addresses of individuals to whom it is required to provide notification; (ii) a conspicuous notice on the website of the covered entity; and (iii) notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.
The bill requires the FTC to promulgate regulations regarding breach notification AND to provide and publish general guidance on compliance, including (i) a description of written or e-mail notification that complies with the requirements; and (ii) guidance on the content of substitute notification.
The bill grants the FTC authority to place any breach notifications it receives in a clear and conspicuous location on its website if the Commission finds that doing so would be in the public interest or for the protection of consumers.
The FTC and State Attorneys General may enforce the bill.