The Breach Notification Obligations in the Data Accountability and Trust Act

The Information Law Group has been following various Federal data security bills as they wind their way through the House and Senate.  In December 2009, the Information Law Group commented on the passage of the Data Accountability and Trust Act ("DATA") by the House.  I was recently asked by Data Protection Law and Policy (an excellent publication out of the UK focusing on data security and privacy issues) to take a closer look at the data breach obligations of the current version of DATA.  The end result was my article entitled:  "Potential changes to the US breach notice risk landscape".

In summary, my article discusses some of the similarities and differences between the current state-created breach notice regime and the system set forth under the proposed DATA law.  DATA is interesting because it appears to create counter-opposing breach notice incentives.  On the one had, there are mechanisms that could lead to less breach reporting, including:

  • a "risk of harm" standard that is likely higher than many existing State laws;
  • preemption of existing state law, which eliminates the "least common denominator" approach taken with respect to existing state law; and
  • mandating call center and credit monitoring costs (e.g. these costs may be significant, and therefore encourage non-compliance, especially if enforcement is lax)

On the other hand, DATA allows for the imposition of civil penalties of up $11,000 per violation (capped at $5 million). Each failure to send the required notification to an affected individual is treated as a separate violation.  Depending on how vigorously the law is enforced, the risk of significant civil penalties is likely to encourage compliance.

How these factors would play out is unclear and up for debate.  However, what is even more unclear is whether DATA will ever be made into a law.  The Senate is working on a similar bill, and assuming it passes the Senate it would still have to be reconciled with the House version.  Consumer advocates will likely have concerns about the higher risk of harm threshold in the law.  On the business side, I anticipate great resistance to call center and credit monitoring as mandatory costs.  Moreover, the penalties for non-compliance may be problematic, especially for smaller and medium organizations.  As such, should DATA become a law, it is likely to differ from this version.