So I’ve had a chance to read Obama’s proposed data breach notification bill, The Personal Data Notification & Protection Act, and although it has a few interesting points, it’s pretty much a rehash of bills that have raised concerns among privacy advocates for years.
This post will describe just some of some of the provisions of the bill and then point out the concerns I see. This is intended as a “first take” post, and may be revised after further reading/reflection.
To whom would the bill apply?
The bill applies to “business entities” where that term is defined as any “organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture, whether or not established to make a profit.”
Comment: The inclusion of non-profits is important (and positive), as it would bring them under the authority of the Federal Trade Commission for enforcement purposes, as outlined later in the bill. Under existing law, the FTC does not have any enforcement authority over non-profits and educational institutions. This bill could be a game-changer on that- at least for breach notification, if not data security itself.
The title also includes a provision that any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information, unless there is no reasonable risk of harm or fraud to such owner or licensee. But what about the risk of harm or fraud to the owner’s or licensee’s customers? The language needs to be revised to include the customers or consumers in that risk assessment clause.
How is “security breach” defined?
As defined in the bill, “security breach” means a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in –
(A) the unauthorized acquisition of sensitive personally identifiable information; or
(B) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.
Comment: Once again, we see paper records or non-digital data being excluded from reporting requirements. There’s no reason not to impose the same reporting requirements when the data are in paper or other formats. And don’t get too excited about the definition of a breach, as not all breaches will trigger notification, as evident later in the bill. The “in excess of authorization” language is also problematic for reasons Orin Kerr explained in his post on the CFAA. All that said, the bill’s definition of “sensitive personally identifiable information” (SPII) appears to be consisent with the most current state data breach laws that have been updated to include login credentials, biometric data, etc.
Who is required to notify?
a) IN GENERAL.—Any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.
Comments: And right there, I see two big drawbacks for consumers. First, “10,000” may mean that a lot of small businesses or e-tailers are now exempt from notification obligations. That does not serve consumers well when you consider that current state breach laws generally do require notification and those state laws will now be pre-empted. Second, the bill does not provide a definition of “harm.” What kinds of harm are being considered in the risk assessment? The bill needs to address the “harm” issue directly and provide a definition that includes the risk of social stigmatization, employment consequences, etc. The bill also provides a carve-out for HITECH-covered entities, i.e., compliance with HITECH notification requirements constitutes compliance with this Title. The bill provides a notification exemption if the entity is able to prevent the misuse of SPII before any financial fraud has occurred, but if fraudulent charges occur, notification must be made.
Timeliness
The bill requires notifications be made “without unreasonable delay following the discovery by the business entity of a security breach,” where reasonable delay doesn’t exceed 30 days, unless the entity demonstrates to the FTC that they need additional time to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, and provide notice to an entity designated by the Secretary of Homeland Security to receive reports and information about information security incidents, threats, and vulnerabilities when required.
Delays can also be approved for law enforcement and national security purposes.
Comment: For residents of some states, this will be an improvement as there may be no 30-day standard, but for some states, like California, this is a step backwards. Having the entity also seek the approval of the FTC for a delay is also new, and raises the question as to whether the FTC has the technical security savvy and personnel to be able to evaluate such requests. Given how relatively few data security enforcement actions they’ve undertaken (less than 60 publicly disclosed), how would they keep up with these new demands and responsibilities?
Safe Harbor
An entity would have safe harbor from the notification requirements if a risk assessment conducted by or on behalf of the business entity concludes that there is no reasonable risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.” The bill does not specify why types of certification or professional qualifications the risk assessor must have.
Interestingly, the safe harbor exemption would require the entity to actually have logging data going back for at least six months that show:
(1) for each communication or attempted communication with a database or data system containing sensitive personally identifiable information, the data system communication information for the communication or attempted communication, including any Internet addresses, and the date and time associated with the communication or attempted communication; and
(2) all log-in information associated with databases or data systems containing sensitive personally identifiable information, including both administrator and user log-in information.
Comment: I am a proponent of safe harbor exemptions for encrypted data if the encryption is of sufficient level. Of course, if the government decides that it has to have a key or backdoor to everything, the safe harbor provision should be eliminated. If government wants to help businesses, it should support encryption, not undermine it. I also like the proposed language requiring entities to maintain and provide logging data if they wish to avail themselves of the safe harbor exemption. But once again, if we are doing a risk assessment for “harm,” how you define “harm” is crucial, and the bill fails to address that.
Methods of Notice to Individuals and Content of Notice
The bill provides reasonable options for notice to individuals, but undercuts requirements by states for media notice. Under the provisions of the bill, media notice is only required if the number of residents in a state involved in a breach exceeds 5,000.
Comments: Media notice should be required if the entity is unable to reach individuals to provide individual notice. I would prefer all entities be required to provide substitute/media notices that are submitted to state consumer protection boards that can be posted on the states’ web sites, with a copy posted on the entity’s web site if they maintain a web site.
The bill also falls flat on the content of notice, only requiring “a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person” as well as toll-free numbers and resources and the name of the entity that has the business relationship with the consumer. There is no requirement that the entity disclose when the breach occurred. Nor is there any requirement the entity provide any remediation services other than notification to the individual, proper authorities, and credit reporting databases.
A requirement to notify the individual of the name of the business entity that had the relationship with the consumer is a good one, as consumers often report that they don’t recognize the name of the entity notifying them of a breach and have no idea how the entity got their information. That said, the notice should include the date of breach if it can be determined and the date of discovery of the breach, as well as some statement as how to the breach occurred. I’ve been blogging about the elements of a good breach notification for years now. Businesses don’t want the kind of transparency I’ve advocated for, and it appears the government is happy to let them get away with covering up their data security sins. Then, too, this bill does not require entities to notify credit reporting databases if less than 5,000 are affected, putting the onus for fraud alerts and notifications on individuals. That’s just wrong.
Enforcement
Some of the most noteworthy provisions are in the enforcement section of the bill, where the Federal Trade Commission will take point, in coordination with the Consumer Financial Protection Board and the FCC.
Of note in the language (emphasis added by me):
For the purpose of the exercise by the Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this title shall constitute an unfair or deceptive act or practice in commerce in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (section 57a(a)(1)(B) of title 15, United States Code) regarding unfair or deceptive acts or practices and shall be subject to enforcement by the Commission under that Act with respect to any business entity, irrespective of whether that business entity is engaged in commerce or meets any other jurisdictional tests in the Federal Trade Commission Act. All of the functions and powers of the Commission under the Federal Trade Commission Act are available to the Commission to enforce compliance by any person with the requirements imposed under this title.
Comment: Boom! The FTC would now be able to enforce notification even in the non-profit sector and education sector. Would that they could also enforce data security, too. Omitted from this bill (as far as I can tell) is any public listing of breaches like a “Hall of Shame” that we see with HIPAA breaches. Nor do I see any requirement that entities report breaches to state attorneys general, which they should be required to do, in my opinion.
Enforcement by State Attorneys General
While state attorneys general can still bring some actions, if the FTC has instituted a proceeding, any state action is trumped or suspended until the conclusion of the federal action.
Pre-Emption
As feared, this bill would pre-empt (often stronger) state laws:
The provisions of this title shall supersede any provision of the law of any State, or a political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data, except as provided in section 104(c).
Comments: Businesses should be dancing in the streets by this bill. Consumers, not so much. Those consumers in states where there is currently no breach notification requirements at all will gain something. The rest of us are more likely to lose ground with the exception of the 30-day timeline (and even that can be waived).
With a Republican Congress, this bill stands some chance of passing, which is why privacy advocates need to speak up and start urging Congress not to sell out consumers this way.