Articles In This Issue
Let Us Help You
Have you had a data breach?
If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at firstname.lastname@example.org or call 1 866 751 1323.
All New Mobile App
Have the tools you need to handle a data breach at your fingertips.
Congressional Insights: Data Privacy and Data Breach Legislation in 2012
While states have led the way in data privacy and data breach legislation to date, don’t count national legislation out yet. Three proposed bills that won initial committee or subcommittee approval at the national level in 2011 may live on to impact businesses in 2012 and beyond. The White House has also weighed in with a national cybersecurity proposal.
Here’s a quick look at how the Senate, House of Representatives and White House are trying to define personal information (PI), notification requirements and violation penalties as they relate to data loss.
The SAFE Data Act (H.R. 2577)
Status: The Commerce, Manufacturing and Trade Subcommittee approved the bill in July 2011.
Next steps: Consideration by the Energy and Commerce Committee.
This bill requires that consumers be notified “as promptly as possible” of a data breach involving their first and last names in combination with any two of the following: home address or telephone number, mother’s maiden name, and date of birth. The bill further defines PI as: unique biometric data, unique account identifiers and government-issued unique identifiers.
Notification requirements established by the bill direct businesses to:
- Deliver notices either in writing or by electronic means
- Include a description of the breached PI
- Inform consumers they are entitled to consumer credit reports and monitoring
- Provide the contact information for the Federal Trade Commission (FTC) and credit bureaus
- Inform federal officials and the FTC without delay
- Notify the media if the breach involves more than 5,000 residents of a single state
The bill exempts businesses from notification if a risk assessment concludes that there is no risk of harm to the individual. The bill also establishes fines of up to $5 million for violations.
Personal Data Privacy and Security Act of 2011 (S. 1151)
Status: The Judiciary Committee approved the bill in September 2011.
Next steps: Debate on the Senate floor.
This bill mandates notification without unreasonable delay and within 60 days of a breach. The bill is similar to H.R. 2577 in defining PI and in not requiring notification if a risk assessment finds no risk of identity theft, economic or physical harm. Violators would be subject to a fine of up to $11,000 per day per security breach. Fines would not exceed $1 million per violation unless conduct was found to have been willful or intentional. The bill explicitly provides that no private right of action exists.
Notifying federal officials is necessary if the breach exceeds 5,000 individuals or involves a database that is either owned by the federal government or includes the PI of 500,000 people nationwide.
Cyber Intelligence Sharing and Protection Act (H.R. 3523)
Status: The Intelligence Committee approved the bill in December 2011.
Next steps: House vote.
This bill proposes to help protect businesses from cyber threats and help the government catch the crooks perpetuating the crimes by opening the door to voluntary information sharing between enterprises and federal intelligence agencies. The bill also grants businesses access to National Security Administration data to help strengthen their network protection.
A red flag for consumer advocacy groups is an exemption from liability for businesses that come forward about hacking attacks. Critics also argue that the bill would lead to the misuse of consumers’ private data that they’ve entrusted to corporations. The American Civil Liberties Union (ACLU) is a vocal opponent of the bill citing privacy concerns over the government monitoring citizens’ Internet activity needlessly.
Cybersecurity Legislative Proposal
Status: The White House released the proposal in May 2011.
Next steps: Congressional consideration
Responding to a Senate request for presidential input on cybersecurity legislation, the Obama Administration released this proposal, which uses the same definition of PI as H.R. 2577 and S. 1151. The notable difference is that this proposal authorizes the FTC to modify the definition of PI by rule. The proposal includes the same stipulation as S. 1151 to notify federal officials of a breach that exceeds 5,000 individuals, involves a federal database or encompasses the PI of 500,000+ people nationwide. It also requires that, if a company informs more than 5,000 individuals of the breach, it must also notify the credit bureaus.
Penalties of $1,000 per day with a $1 million per-violation cap would result from civil actions brought about by state attorneys general.