2014 was the year of the data breach as several large, high profile breaches occurred, including EBay, Target, and Home Depot, that affected the personal data of millions of Americans. On January 12, 2015, President Obama announced his intention to introduce legislation (by way of Congress) to require notification to consumers when their personal data has been compromised by a data breach. This proposed law, the Personal Data Notification & Protection Act, is part of a more comprehensive legislative agenda by the White House, including a consumer privacy bill of rights and a law to promote student privacy.
Currently, 47 states (all but Alabama, South Dakota, and New Mexico) have data breach notification laws. The President’s proposal incorporates many aspects of these state notification statutes into a single national standard. This national standard is intended to provide all victims of a data breach throughout the United States with adequate and timely notice of a data breach. If a national standard is adopted which preempts the various state laws, businesses may no longer need to go to the time, expense and difficulty of ensuring compliance with 47 separate notice requirements that could differ as to timing, format, and content. To ensure that the Personal Data Notification & Protection Act effectively standardizes the notification procedures in the United States, proponents of the bill have stressed that the final version, if adopted, must preempt state notification laws.
The proposed legislation has several key provisions. Of primary importance is the establishment of a notification requirement; business entities must notify consumers whose data may have been compromised within 30 days of discovering the data breach. Notice by mail or telephone is generally required, but if certain conditions are met, notice by email or the media is also acceptable. The proposed law also establishes the minimum content that must be provided in the notice: the identity of the business entity that was breached, a description of the categories of sensitive personally identifiable information that was accessed during the breach, a toll-free telephone number consumers can use to contact the business regarding the breach, and the toll-free contact telephone numbers for the major credit reporting agencies as well as the Federal Trade Commission (“FTC”). In addition, if more than 5,000 individuals are affected by the breach, the business entity must provide notice of the breach to all national consumer reporting agencies within 30 days. It is notable that not all business entities are subject to the proposed national notification standard. The Personal Data Notification & Protection Act only applies to a business entity engaged in or affecting interstate commerce that “uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.”
The proposed law allows responsibility for notification to be allocated by contract between the owner of the data and a licensee or other party, and if the data owner provides notification of a breach, third parties who handle the data, but do not own it, are relieved from any notification requirements. The proposed law also provides for “safe harbor” if the business conducts a “risk assessment” that determines there would be no reasonable risk of harm to individuals as a result of the breach. The risk assessment must be conducted, and the results provided to the FTC, within 30 days of discovering the breach.
The Personal Data Notification & Protection Act would be enforced by the FTC, which would also have broad rule-making authority to interpret and further implementing the legislation. The proposed legislation does not create a private right of action, but does provide for substantial civil penalties for a violation – a state’s attorney general, or other authorized state agency, may bring a civil action to enforce the law, for an injunction against an unlawful practice, and/or for civil penalties in the amount of $1,000 per day, per individual, up to $1,000,000 per violation unless the conduct is found to be willful or intentional.
The President’s proposal, though, is not without critics. Some have argued that state legislatures are more responsive to technological changes impacting the manner in which data breaches occur than Congress, which has failed to pass a data breach notification law despite data security’s growing prominence as a major concern not only to consumer protection but also to national security. According to these critics, the states can amend their laws to address the changes to data security and provide greater consumer protection more readily than Congress. These critics also worry that a weaker federal data breach notification law that preempts the existing state laws will undermine the advances that states have made in protecting consumers from data breaches in recent years.