Data Breach, P&DS Litigation, Privacy

President Obama Proposes Legislation to Nationalize Data Breach Notification Standard

Data Breach Image2014 was the year of the data breach as several large, high profile breaches occurred, including EBay, Target, and Home Depot, that affected the personal data of millions of Americans.  On January 12, 2015, President Obama announced his intention to introduce legislation (by way of Congress) to require notification to consumers when their personal data has been compromised by a data breach.  This proposed law, the Personal Data Notification & Protection Act, is part of a more comprehensive legislative agenda by the White House, including a consumer privacy bill of rights and a law to promote student privacy.

Currently, 47 states (all but Alabama, South Dakota, and New Mexico) have data breach notification laws.  The President’s proposal incorporates many aspects of these state notification statutes into a single national standard.   This national standard is intended to provide all victims of a data breach throughout the United States with adequate and timely notice of a data breach.  If a national standard is adopted which preempts the various state laws, businesses may no longer need to go to the time, expense and difficulty of ensuring compliance with 47 separate notice requirements that could differ as to timing, format, and content.  To ensure that the Personal Data Notification & Protection Act effectively standardizes the notification procedures in the United States, proponents of the bill have stressed that the final version, if adopted, must preempt state notification laws.

The proposed legislation has several key provisions.   Of primary importance is the establishment of a notification requirement; business entities must notify consumers whose data may have been compromised within 30 days of discovering the data breach.  Notice by mail or telephone is generally required, but if certain conditions are met, notice by email or the media is also acceptable.  The proposed law also establishes the minimum content that must be provided in the notice:  the identity of the business entity that was breached, a description of the categories of sensitive personally identifiable information that was accessed during the breach, a toll-free telephone number consumers can use to contact the business regarding the breach, and the toll-free contact telephone numbers for the major credit reporting agencies as well as the Federal Trade Commission (“FTC”).   In addition, if more than 5,000 individuals are affected by the breach, the business entity must provide notice of the breach to all national consumer reporting agencies within 30 days.  It is notable that not all business entities are subject to the proposed national notification standard.  The Personal Data Notification & Protection Act only applies to a business entity engaged in or affecting interstate commerce that “uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.”

The proposed law allows responsibility for notification to be allocated by contract between the owner of the data and a licensee or other party, and if the data owner provides notification of a breach, third parties who handle the data, but do not own it, are relieved from any notification requirements.   The proposed law also provides for “safe harbor” if the business conducts a “risk assessment” that determines there would be no reasonable risk of harm to individuals as a result of the breach.   The risk assessment must be conducted, and the results provided to the FTC, within 30 days of discovering the breach.

The Personal Data Notification & Protection Act would be enforced by the FTC, which would also have broad rule-making authority to interpret and further implementing the legislation.  The proposed legislation does not create a private right of action, but does provide for substantial civil penalties for a violation – a state’s attorney general, or other authorized state agency, may bring a civil action to enforce the law, for an injunction against an unlawful practice, and/or for civil penalties in the amount of $1,000 per day, per individual, up to $1,000,000 per violation unless the conduct is found to be willful or intentional.

The President’s proposal, though, is not without critics.  Some have argued that state legislatures are more responsive to technological changes impacting the manner in which data breaches occur than Congress, which has failed to pass a data breach notification law despite data security’s growing prominence as a major concern not only to consumer protection but also to national security.  According to these critics, the states can amend their laws to address the changes to data security and provide greater consumer protection more readily than Congress.  These critics also worry that a weaker federal data breach notification law that preempts the existing state laws will undermine the advances that states have made in protecting consumers from data breaches in recent years.

Brandon Gaskins

About Brandon Gaskins

Labor-and-employment attorney and commercial litigator Brandon Gaskins employs a comprehensive and strategic approach when counseling and litigating a variety of employment matters, from restrictive covenants to wage-and-hour issues, discrimination, wrongful termination, administrative complaints, high-stakes investigations, and more. Brandon’s broad employment-law expertise spans numerous federal and state laws such as Title VII, Americans with Disabilities Act as Amended (ADAA), Age Discrimination in Employment Act (ADEA), Fair Labor Standards Act (FLSA), and the Family and Medical Leave Act (FMLA). He also has experience in traditional labor matters, including union avoidance and unfair labor practices before the National Labor Relations Board, and significant experience conducting internal investigations, including harassment, employee misconduct, discrimination, ethical violations and retaliation.


No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to Data Points!

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached.

Connect To Recent Authors

  • Karin McGinnis:  View Karin McGinnis' Bio View Karin McGinnis' LinkedIn profile
  • Todd Taylor:  View Todd Taylor's Bio View Todd Taylor's LinkedIn profile
  • Brandon Gaskins:  View Brandon Gaskins' Bio View Brandon Gaskins’ LinkedIn profile
  • Robert Sumner:  View Robert Sumner’s Bio
  • Carol Bowen:  View Carol Bowen's Bio View Carol Bowen’s LinkedIn profile

  • Subscribe to Blog via Email

    Follow MVA


    Blog Topics


    Interested In Other Topics?

    Tell us what else you are interested in here.

    Our Privacy & Data Security Practice

    Moore & Van Allen has a Privacy & Data Security practice with the depth and breadth to advise the multitude of business industries and practices impacted, including sales, human resources, data maintenance and storage, IT, legal and compliance, labor and employment, health care, finance, cross-border transactions, energy and litigation. All require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. To help our clients successfully navigate their data security challenges and manage their risk in these areas, our multi-disciplinary team draws on their deep experience in addressing data privacy and information security obligations and disputes. Read More About Our Practice and Meet the MVA Privacy & Data Security Team.


    No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.

    No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)