Over the years, Congress and the Senate have considered legislation of various kinds and scope that would have contained data security provisions, including breach notification requirements for businesses holding certain kinds of sensitive personal information. This year is no exception. There are numerous security-related bills.
S.1408 is an example of a bill focused on breach notification. Senator Diane Feinstein introduced it on July 22, 2011. It covers governmental agencies or any business entity engaged in interstate commerce that uses, accesses, transmit, stores, disposes of, or collects sensitive personally identifiable information (PII). Sensitive PII includes first initial or name with last name, in combination with:
- a Social Security number, passport number, or alien registration number
- any two of (i) home address or telephone number, (ii) mother’s maiden name, or (iii) birthdate
- unique biometric identifier, such as fingerprint, voice print, or retina or iris image
- account identifier with an access code
Sensitive PII also includes any account or card number in combination with any necessary security code, even if no name is associated with it.
Under S.1408, a covered business must notify any US resident whose sensitive PII is reasonably believed to have been accessed or acquired following a security breach. If the covered business does not own or license the sensitive PII, it must also notify the owner or licensee, and need not notify affected individuals if the owner or licensee made the notification.
The notification must be made “without unreasonable delay” following the breach. The agency or business may delay notification to determine the scope of the breach or if a federal law enforcement agency determines that notification would impede a criminal investigation.
S.1408 says no notification is necessary if, after a risk assessment, the agency or business concludes that the breach will result in no significant risk of harm to affected individuals, it notifies Secret Service of the breach, and Secret Service does not state in writing that notice should be given anyway. There is a presumption of no significant risk of harm if the information was encrypted or was rendered indecipherable by the use of best practices, access controls, or other mechanisms of an effective industry practice or standard. Nonetheless, unlike many state laws, encryption does not automatically vitiate the necessity of notifying law enforcement, in this case the Secret Service.
The Department of Justice may enforce the bill’s requirements, as can state attorneys general. Civil penalties would be $1000 per day per individual affected, up to a maximum of $1M per violation, unless the conduct of the covered entity was willful or intentional. The bill does not create a private right of action, and preempts state breach notification laws, except for state requirements that breach notifications include information regarding victim protection assistance.
Some commentators speculated that 2011 would be the year for federal breach notification legislation. They cited the increasing number of breaches and breach notifications. Accordingly, they concluded that the public is fed up and Congress would have no choice but to act.
I disagree with these commentators. Ever since California enacted SB 1386 in 2003, Congress has taken up numerous data security bills, including those mandating breach notification. Each time, Congress failed to pass any such bills.
I side with other commentators who have stated in previous years that Congress is too busy with other legislation, and now too divided by party, to be able to pass any breach notification bill. Now that we are in a presidential election year, I believe there are too many distractions for Congress to pass data security legislation. In addition, the public is now receiving so many breach notifications that it has stopped noticing individual breaches. It takes them in stride, and as a whole, is not likely feeling enough pain to demand federal legislation. The present system of state notifications seems to be working well enough, and businesses don’t have radically different enough state laws to make a case that a federal law is necessary. Accordingly, I do not anticipate a new federal breach notification law this year, but will watch to see if Congress proves me wrong.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP