John Eggerton reports that Senator Pat Toomey (R-PA) has introduced the “Data Security and Breach Notification Act of 2013” (S. 1193). Although the bill’s text is not yet available online, it’s reportedly the same bill he introduced last year:
In the event of data breaches, “the bill would direct companies possessing personal data to notify consumers by mail, email or telephone if their information is stolen. Senator Toomey introduced an identical measure last year,” the office of bill sponsor Sen. Pat Toomey (R-Pa.) said. It would also require companies to take “reasonable steps” to protect personal information. Bill co-sponsors include John Thune (R-S.D.) and Angus King (I-Maine).
As of Friday, the bill had seven co-sponsors and after two readings, was referred to the Committee on Commerce, Science, and Transportation.
The text of last year’s bill can be found here. My reading of it does not leave me favorably impressed. For starters, the requirements for information security are:
Each covered entity shall take reasonable measures to protect and secure data in electronic form containing personal information.
What’s “reasonable?” Why not specify “at least industry standard” or “follow best practices?”
And why not cover data in non-electronic format? If a federal law is going to preempt state laws, it should include paper records, as at least seven states’ data breach notification laws also apply to paper records or records in any format.
As to the bill’s notification provisions in Section 3, the duty to notify would only apply to notifying U.S. citizens or residents. So if a U.S. business had a breach affecting EU residents, there’d be no obligation to notify them, it seems.
The bill’s trigger for notification is that personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and the covered entity reasonably believes the access and acquisition has caused or will cause, identity theft or other financial harm. An accessed AND acquired AND will cause ID theft or other financial harm is not a consumer-protective trigger. How many times have we seen entities unsure as to whether data were actually exfiltrated or acquired? Under Senator’s Toomey’s bill, there’s almost an inducement to engage in no or sloppy forensics, as if there’s no evidence of, or reasonable belief of, acquisition, there’s no trigger to notification. If a federal law is going to preempt state laws, it should be at least as strong as the state laws it would preempt. This proposed law isn’t. It needs a more consumer-protective trigger and to recognize that consumers should be notified of breaches that may not result in ID theft or financial harm, but could result in other kinds of injury or harm.
According to the proposed law, the notification itself would have to include, at a minimum:
(i) the date, estimated date, or estimated date range of the breach of security
(ii) a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the security breach; and
(iii) information that the individual can use to contact the covered entity to inquire about—
(I) the breach of security; or
(II) the information the covered entity maintained about that individual.
Note that there is no requirement to inform those affected what happened and how. That type of information is crucial for consumers to form their own opinions of risk from a breach. Being informed that an employee was arrested for copying consumers’ information is somewhat different than being informed that a laptop was stolen from an employee’s unattended vehicle with other devices.
The bill contains a section on Enforcement By Federal Trade Commission.—
(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of section 2 [“Reasonable security”] or 3 [Notification] shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
So if an entity doesn’t deploy “reasonable security,” they’re in violation of the FTC Act? Some will embrace that provision while others (like Wyndham, perhaps?) will not. And who determines – according to this bill – what is “reasonable security?”
The bill caps liability for violations and bars any private cause of action. Businesses will love that. Consumers, not so much.
Under definitions, the term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
Given how many breaches these days are usernames, email addresses and passwords, this bill would remove any obligation to report such breaches. In light of how many people re-use passwords, their definition of “personal information” should be reconsidered. Additionally, if a firm that was not a HIPAA-covered entity had a breach involving an individual’s name, date of birth, zip code, and the names of the medications they take, that would not be a reportable breach under this bill, which is unacceptable in terms of what research suggests about the risk of identifying individuals based on a few pieces of information.
The bill does have a safe harbor, although it fails to specify a level of encryption such as “military-grade” or “NIST-grade:”
(ii) ENCRYPTED, REDACTED, OR SECURED DATA.—Personal information does not include information that is encrypted, redacted, or secured by any other method or technology that renders the data elements unusable.
Those are just some of my reactions to the bill. You may have others concerns about it or see some benefits to it. All in all, though, this bill benefits businesses and covered entities at the expense of consumers. Hopefully, it will die in committee.
I look forward to the day when someone in Congress proposes a bill that is at least as strong as the state laws it would preempt.