A House subcommittee held a hearing yesterday on the SAFE Data Act, a draft data security and breach notification bill that, among other things, would require businesses to minimize the amount of personal information they maintain about consumers and notify law enforcement within a very short time frame — within 48 hours of discovering a breach. The draft legislation, which was presented by Rep. Mary Bono Mack (R-CA), is based upon a similar proposal that passed the House in 2009 but stalled in the Senate.
Rep. Bono Mack, the Chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, called the draft bill “an upgraded, 2.0 version of data-security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon, which put more than 100 million consumer accounts at risk.” The proposed legislation would:
- Preempt the breach notification laws that have been passed in 46 states and the District of Columbia;
- Require companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data (in accordance with regulations that would be issued by the FTC);
- Require covered organizations to establish a data minimization plan providing for the elimination of consumers’ personal data that is no longer necessary for business purposes or other legal obligations;
- Require the notification of law enforcement within 48 hours after discovery of a breach, unless the breach was an innocent or inadvertent breach unlikely to result in harm;
- Require companies and other entities to notify the FTC and to begin notifying consumers 48 hours after completing an assessment of a breach (unless the assessment indicates that there is “no reasonable risk of fraud, identity theft, or other unlawful conduct” from the breach); and
- Allow the FTC to issue regulations modifying the definition of “personal information.”
These requirements would be enforced by the FTC and state attorneys general. The draft bill does not provide for a private right of action, and it specifically exempts from coverage entities subject to GLBA and HIPAA data security requirements.
At yesterday’s hearing before the Subcommittee on Commerce, Manufacturing, and Trade—which also held a hearing on June 2 regarding the Sony and Epsilon breaches, as well as a general hearing on May 4 about the ongoing threat of data breaches to consumers—reactions to the Bono Mack proposal were mixed. FTC Commission Edith Rodriguez, a witness at the hearing, expressed concern that the draft bill did not set a specific deadline for the risk assessment that a company must complete following a breach. “There out to be some form of cutoff period to ensure that consumers receive appropriate notification,” Rodriguez said.
One lawmaker criticized the draft bill’s data minimization requirements, noting that data about consumers may be retained for a long period of time for good reason, while others said the proposal went too far by giving the FTC authority to change the definition of personal information and by requiring notification when there is a “reasonable” risk of harm (instead of the narrower “significant” risk standard).
If the draft legislation is formally introduced in the House—and Bono Mack has said she is hoping to move the bill through the chamber before the August recess—it will join a growing number of privacy and data security bills that have been introduced in Congress this year. Indeed, on the same day as the hearing on the Bono Mack proposal, Senators John Rockefeller and Mark Pryor introduced legislation that would also require companies to safeguard personal information and inform consumers in the event of a breach. Separately on that day, Senators Al Franken and Richard Blumenthal introduced a bill that would require mobile device makers and app developers to obtain consumers’ express consent before collecting and sharing their location information.