Federal Data Security Breach Legislation – Status Report
We have reported previously in this newsletter about security breaches at companies that maintain consumer personal information records that had received national attention, and the regulatory reaction to those breaches. We have also previously offered an action guide to help our clients take steps to prevent security breaches. Following the highly publicized Choicepoint, DSW Shoe Warehouse and LEXIS-NEXIS security breaches during 2005, and the very vocal reaction by members of Congress, it was our every expectation that a national version of the California notification law would have been enacted before year end. However, despite the introduction in Congress of multiple bills intended to address consumer data security, it does not appear that federal legislation will be passed until next March at the earliest.
A bill approved by the Senate Judiciary Committee (S1789) would partly preempt state laws and create one unified law for all 50 states. It would require data brokers to allow U.S. residents to correct their personal data, and it would require businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies. Businesses that do not implement security plans could be fined up to $35,000 a day if found in violation of the requirement. The Judiciary bill would allow companies that suffer data breaches to avoid notifying consumers if they determine the breach poses "no significant risk" of identity theft or other data fraud. But, unlike some other data-breach bills in Congress, the Specter-Leahy bill would require companies that determine there is no risk from a data breach to report their findings to the U.S. Secret Service, which can then conduct its own investigation.
In contrast, HR 4127 DATA bill, endorsed by Microsoft and Entrust, would give all 50 states the same law, but would prohibit lawsuits against data warehouse companies due to accidental disclosure, and would allow potential ID theft victims to put a seven-year fraud alert on their credit reports. Other Congressional committees are contemplating 15 other competing bills.
Recently, forty-seven state attorneys general sent a letter to U.S. Senate and House of Representatives leaders urging Congress to enact strong national security breach and credit freeze legislation to help protect consumers from identity theft. They expressed concern over the rapidly growing crime of identity theft, which they said costs their states over $50 billion a year. They further warned Congress that if it cannot come up with a strong enough law, it had best leave the matter to the jurisdiction of the states. The letter opposed any move by Congress that would make the FTC the sole enforcer of any new security breach notification and security freeze laws, and spoke out against preemption of State laws. The AGs suggested that instead of full preemption, Congress should consider a “tailored” preemption of those states’ laws that are “inconsistent” with the federal laws, and then only to the extent of the inconsistency.
In addition to their expressed opposition to full preemption, the AGs urged Congress to include the following provisions in a federal security breach notification law:
- Require security breach notification to consumers that provides timely and useful information about security breaches by regular mail or email (if the consumer has consented to email as provided in the E-Sign Act)
- Such notification should not be tied to a trigger requirement relating to proof of risk, but should be a standard that is tied to a reasonable belief that personal information has been acquired or accessed by an unauthorized person
- Security freeze provisions that provide meaningful protection to consumers who wish to protect themselves from identity theft, i.e., no fraud monitoring exemptions would be permitted, especially where compromised information involves deposit accounts or debit cards
- Permit enforcement by State Attorneys General of any federal security breach notification or security freeze legislation
- Impose the same statutory standard on all businesses and industries, including financial institutions subject to the Gramm-Leach-Bliley Act
- A substitute broadcast notice would be an option only if more than 500,000 consumers are affected, and then on a Web site and major statewide or national news media
The AGs also called on Congress to enact a strong federal security freeze law that goes beyond the 2003 amendments to the Fair Credit Reporting Act. These amendments which permit consumers to place a “fraud alert” on their credit reports for at least 90 days and for up to seven years where identity theft has occurred. Several states have enacted stronger security freeze laws that will become effective over the next several months – Colorado, Connecticut, Illinois, Maine, Nevada, New Jersey, and North Carolina.
The financial services industry has also been lobbying heavily for Congressional action on data security due to the proliferation of state laws that are going into effect over the next several months. They argue that the longer Congress takes to enact legislation, the more state laws will go into effect and the harder it will be to convince federal lawmakers to vote for a bill that contains a weaker standard than their own state law. During the period between December 1, 2005 and March 1, 2006, twelve new state data security laws will go into effect. In all, 21 states have followed the lead of California by enacting security breach notification laws over the past year. While there are a lot of similarities among the state laws, there are sufficient differences to provide challenges to compliance. Like the Gramm-Leach-Bliley Act, enacted in 1999, these laws require businesses to keep consumer data secure, but also require these businesses to notify individuals of breaches of security.
For example, the North Carolina law, which was effective December 1, requires businesses to delay notification of consumers of a breach of security if requested by law enforcement officials, to permit their investigation to go forward without tipping off the wrongdoers. On the other hand, Illinois’ law, effective January 1, allows no exceptions or delays to notification. There are other more subtle differences among the laws as well. And the more state laws that are enacted with varying approaches to data security, the greater the challenge to Congress to reach a compromise for a federal bill.
We have previously recommended with respect to juggling compliance with state privacy laws that businesses comply with the strictest standard, and these state security breach notification laws are no exception. It will be necessary to identify the strictest state data security law and to comply with that standard should a security breach occur. It is unclear whether the OCC preemption rule issued last January was intended to cover state data-security and notification laws, or whether the OCC has the authority to preempt this type of law. The banking regulators have recently made it clear that banks should work with their primary regulator to determine what consumers should be told and how.
What originally seemed to be a simple and clear-cut legislative goal has become a complex process with multiple approaches to data security and notification competing for adoption. It remains to be seen whether members of Congress can reach a compromise before more states take legislative action on this issue.