The proposed federal data breach notification law will simultaneously simplify and complicate things for organizations in the wake of a security breach, experts said.
The White House outlined the data breach notification law within the broad cyber-security proposal that was sent to Congress May 12. If passed as is, the law would trump existing state notification laws currently in place in 46 states, the District of Columbia, Puerto Rico and the Virgin Islands. The Federal Trade Commission would be responsible for enforcing the law along with state attorneys general. Civil penalties for violations could total $1 million.
While there are good and bad things about the proposed bill, there is a “net good” because it means there is only one law to follow in case of a data breach, said David McIntosh, a partner in the intellectual property group and corporate department at the law firm of Ropes & Gray. One of the difficulties organizations face after having data exposed or stolen has always been figuring out an appropriate response that complies with various state notification laws.
“One of the joys of the federal bill is standardization. One of the sorrows is that it’s not complete standardization,” McIntosh said.
Organizations will no longer have to negotiate “a patchwork of 47 state laws” after a data breach, the Obama administration said in its proposal. However, the bill did make allowances for states to define additional actions on top of the federal requirements the organization would have to follow.
If a state decides it wants organizations to include information about credit freezes or some local service to be included in the notice that is sent to the affected victims, it can enact such a provision, according to McIntosh. The organization is back to having to come up with a different version of the notification to meet that particular state’s requirements, McIntosh said. But it will still be an improvement over the current system, McIntosh said.
However, the bill changes the rules a little bit and not necessarily in a positive way. The proposed federal law defines personal identifying information much broader than how state laws have traditionally defined them and makes it “more complicated,” according to McIntosh. Most state notification laws are “triggered” when the data breach includes “name and a number,” or the stolen data includes the person’s first name, last name and some kind of a government-issued identification number, such as a Social Security number or a driver’s license number, McIntosh said.
The proposed bill has broadened the scope of “sensitive personally identifiable information” significantly, McIntosh said. The proposed bill includes not only “unique biometric data” such as a fingerprint, voice print, or a retina or iris image in its definition of PII (personally identifiable information), but it also includes “any other unique physical representation.”
“What does that mean? Is that a photo?” McIntosh asked. He said it isn’t clear from the language whether the bill would include photographs of people as part of PII.
Definition Is So Retro
On the other hand, at least one critic thought the definition wasn’t broad enough. “The definition of personal information is so retro,” Eduard Goodman, the chief privacy officer of Identity Theft 911, wrote on the consumer rights group’s 911 blog. He believes email addresses, geo-location data, geo-tagged metadata in images and religious affiliation should be included as sensitive data. The bill also doesn’t include anything about lost or stolen paper records, Goodman said.
Under the proposed bill’s definition, the data breach at email marketing company Epsilon, in which an estimated 60 million email addresses and some names were stolen, would not be considered a data breach that would require the company to notify customers.
Goodman also said the bill “overprotects” small businesses by limiting who has to notify their customers of the breach. Businesses “engaged in or affecting interstate commerce that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” are required to notify customers whose sensitive information may have been compromised, according to the proposed bill.
Businesses limited to only one state could argue they are not “engaged in or affecting interstate commerce,” Goodman said. A company claiming to deal with 8,000 people a year could also claim to be exempt, even if the data breach affected a decade’s worth of past and current customers in excess of 80,000 people, according to Goodman.
The bill also focuses on the private sector. There is nothing about how the law would apply to state agencies, such as the accidental data exposure in Texas and the recent malware infection in Massachusetts.
The proposals don’t consider smartphones, social networking sites, cloud computing and geo-location technologies, according to Goodman. “We can do better than this,” he said.
The good thing is that the FTC would have to come out with a lot of rules to clarify the law, and some of the provisions of the bill would likely be changed and modified before it becomes law, according to Goodman and McIntosh.
Congress has been trying to pass a national data breach notification law for a long time, so there’s a lot of interests waiting to weigh in, McIntosh said.