The Obama Administration has just released the proposed text of the Personal Data Notification & Protection Act as the latest step in its uniform federal breach notification initiative. Similar legislative efforts in the past have been unsuccessful, but there remains interest in federal legislation that would eliminate the need to navigate the patchwork of 47 different state breach notification laws. This article will highlight how the proposed federal law compares to most state breach notification requirements, and how it may impact businesses as a practical matter.
Higher Threshold Before the Federal Law Even Applies:
The proposed federal legislation only applies if a “business entity” collects the personal information of more than 10,000 individuals during a 12 month period. By comparison, most states’ breach notification laws apply to any business engaged in the collection of certain personal data as defined in state statute, regardless of the number of individuals about whom data is collected. Perhaps the most important take away: state breach laws will not become completely obsolete, as a number of businesses will not be affected by the proposed federal legislation.
Definition of Personal Information:
In contrast to the higher threshold of individuals involved, the proposed federal legislation contains a significantly more expansive definition of what constitutes personal information. Most state laws typically define Personally Identifiable Information (“PII”) to include an individual’s name when linked with a social security number, driver’s license/other identification number, or financial account/credit card information. [California and Florida recently expanded to include medical information, health insurance information, or email address with password].
The proposed federal legislation includes not only all of the above but also any of the following, which when combined with an individual’s name, constitute “sensitive personally identifiable information:”
- Home address or telephone number;
- Mother’s maiden name;
- Month, day, and year of birth;
Further, any of the following alone constitute “sensitive personally identifiable information:”
- non-truncated social security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number;
- unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation;
- a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code;
- a user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account;
- Any combination of the following three:
- an individual’s first and last name or first initial and last name;
- a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; or
- any security code, access code, or password, or source code that could be used to generate such codes or passwords.
What constitutes a breach?
The definition of a breach in the proposed federal legislation is similar in many respects to a typical state law, though it goes further than some. Many states consider an incident a breach only when there has been unauthorized acquisition of personal data. In addition to acquisition, the proposed federal legislation includes in its breach definition “access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.”
Whom do you notify and under what circumstances?
Notifications of individuals would remain essentially the same under the proposed federal legislation, but it proposes to add certain agency notifications as well. Most states, and the proposed federal legislation, require notification to impacted individuals regardless of the number of individuals potentially impacted. In addition to individuals, many states require notification of the state Attorney General and the consumer reporting agencies if the breach impacts a specific trigger threshold, typically 500 to 1000 individuals.
The proposed federal legislation requires notifying the media and the consumer reporting agencies in any state where the number of individuals involved exceeds 5000. Further, there are four circumstances under which a business will be required to notify a federal agency (yet to be designated by the Secretary of Homeland Security), which will then be required to notify the United States Postal Service, the FBI, and the Federal Trade Commission (“FTC”). These circumstances include:
- Breaches involving more than 5,000 people;
- Breaches involving a database that contains the information of more than 500,000;
- Breaches involving a database owned by the federal government; or
- Breaches involving information of individuals know to be employees or contractors of the federal government involved in national security or law enforcement.
Notification Shot Clock:
The proposed federal legislation states that notification in the case of a breach shall be made “without unreasonable delay” following the discovery by the business entity of a breach, and defines reasonable delay as not exceeding 30 days, although the FTC can grant additional time under certain circumstances upon request of the business. The expanded definition of breach to include “access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization” could create significant challenges in determining when the shot clock starts.
Exceptions to Notification:
The proposed federal legislation also includes a “safe harbor” section that exempts a business entity if it conducts a risk assessment and determines that there is no reasonable risk that a breach “has resulted in, or will result in, harm to the individuals” whose data was breached. While many state laws exempt from notification the disclosure of encrypted information, the proposed federal legislation requires that a business must include logging data for a period of at least six months prior to submitting the risk assessment – a standard which may prove problematic for many businesses in conducting a risk assessment –and, within 30 days of discovery of the breach, submit that risk assessment to the FTC.
Federal Preemption and State Attorneys General:
The proposed federal legislation preempts any state or local law “relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data.” The proposed federal legislation does allow states to require that notices include information regarding victim protection assistance provided for by that state, and it empowers state Attorneys General to enforce state consumer protection laws in state courts, with the power to levy civil penalties of $1,000 per day per individual (with a maximum of $1,000,000 per violation unless the conduct is found to be willful or intentional). In order to enforce such laws and levy penalties, the state Attorney General must provide the FTC with written notice of the action, and any activity by an Attorney General is subject to the FTC’s right to stay the state’s action, initiate its own action, intervene in the state’s action, or file petitions for appeal. If the FTC has already instituted enforcement proceedings, states will have to wait until such federal proceedings are concluded before commencing their own enforcement actions. Think “preemption light.”