On July 20, 2011, the U.S. House of Representatives Energy and Commerce Committee’s Trade Subcommittee approved the Secure and Fortify Electronic Data Act (the “SAFE Data Act”). The Act would require any business that maintains personal information to implement an information security program and notify affected individuals in the event of an information security breach. The SAFE Data Act would preempt the over 45 existing state information security and breach notification laws and task the Federal Trade Commission with developing information security rules implementing the Act.
Some legislators and advocates have criticized as too narrow the definition of “personal information” that is within the scope of the Act. Specifically, the Safe Data Act would require breach notification only when an individual’s name, phone number or credit card number is compromised along with a Social Security number, driver’s license number or other government-issued ID. This definition is significantly narrower than the personal information within the scope of the numerous existing state breach notification laws. One of the concerns is that because the Safe Data Act would preempt existing state information security and breach notification laws, the passage of the Act would lead to less protection for consumers.
Existing state breach laws typically require notification when an individual’s first name or initial and last name are compromised in conjunction with a Social Security number, driver’s license number, government-issued ID number or a financial account number. In practice, the gap between state breach laws and the Safe Data Act is even wider. This is because companies operating nationwide affected by a multi-state breach often follow the broadest notification requirements among the various state laws. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, taxpayer ID or biometric data alone (without the individual’s name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act. Committee members expect the bill to evolve to address this and other concerns as it moves through Congress.
While there are disagreements regarding the specifics, the Trade Subcommittee’s approval of the Safe Data Act (especially while Congress is paralyzed by the debt ceiling negotiations) suggests strong support for federal information security legislation. For businesses, perhaps the most significant aspect of the Act is the preemption of over 45 existing state information security and breach notification laws. The preemption provision would provide much needed certainty for businesses in addressing information security breaches that currently are subject to the multitude of state requirements.