On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today.
S. 1490, introduced by Sen. Patrick Leahy (D-Vt.), would preempt most state data security laws. The bill would mandate the implementation of a comprehensive data security program by all businesses maintaining personally identifiable information (PII) of 10,000 or more individuals not currently required to do so by certain federal laws (such as GLBA for those maintaining financial information and HIPAA for those maintaining health information). Covered businesses would be required to conduct an internal data security risk assessment, adopt controls to reasonably manage these risks and to detect security breaches, and conduct regular vulnerability testing and reassessment to ensure their program is appropriately managing risks.
The bill would also create a federal data breach notification requirement, preempting the variety of state laws that today cause compliance headaches among those that experience such a breach. The bill’s provisions mirror most of the common themes of the state laws, including that breaches must be reported "without unreasonable delay" except as necessary for law enforcement or national security purposes, and that in addition to the affected individuals notification must be made to prominent media in all states in which the information of 5,000 or more individuals is reasonably believed to have been breached. Like some of the state laws, the bill contains a "risk of harm" threshold, exempting notification in situations in which it is determined that there exists no significant risk that the breach will result in harm (with the approval of the Secret Service of this determination). The use of effective encryption, redaction, or other industry-standard controls would create a statutory presumption that no harm is likely to occur from a breach.
Among other provisions, the bill would:
- create a federal crime for intentionally and willfully "concealing" a breach of PII that one has an obligation to report;
- ask the U.S. Sentencing Commission to reevaluate criminal penalties associated with the theft or unauthorized access of PII
- subject data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and notifying individuals when a third party takes adverse action against them based on the PII furnished; and
- require federal contractors to meet certain data security requirements.
Notably, the House Energy and Commerce committee passed a bill containing a number of similar provisions, H.R. 2221, including those pertaining to the security program, breach notification, and data brokers. The second Senate bill, S. 139 introduced by Sen. Dianne Feinstein (D-Calif.), would create a federal data breach notification requirement largely mirroring that of S. 1490 that would also preempt state data breach requirements. S. 1490 passed 14-5; S. 139 passed 14-2.
The civil penalties associated with a failure to comply with these bills would be substantial. Failure to institute a comprehensive security program would result in a fine of up to $5,000 per violation per day (double for willful violations) with a cap of $500,000 per violation, and failure to timely notify required parties of a reportable breach could lead to a penalty of up to $1,000 per day per individual whose PII was breached (doubled for willful violations), with a cap of $1,000,000 per violation. Violations of the data broker provisions could elicit penalties of $1,000 per violation per day, with a cap of $250,000 that would double with willful violations. In addition to the federal government (in some cases, the FTC was explicitly named), state Attorneys General would be granted the authority to enforce these laws on behalf of their affected residents.
Chances of this bill coming to vote before the full Senate in the near term are slim, especially with health care and appropriations at the forefront of the legislative agenda and relatively few days left in the current session. Nevertheless, this is not the first data security legislation introduced in Congress, and given the thought and detail put into crafting these bills, the committee endorsement, the number of co-sponsors, and increasing prevalence of identity theft and other relevant issues, such a law has a better-than-ever chance of coming into force at some point.