Senators and Representatives from both sides of the aisle have introduced several new pieces of legislation proposing sweeping new frameworks for data privacy law:
S. 239 (“Notification of Risk to Personal Data Act”);
H.R. 958 (“Data Accountability and Trust Act”);
H.R. 836 (“Cyber-Security Enhancement and Consumer Data Protection Act of 2007”); and
S. 495 (“Personal Data Privacy and Security Act of 2007”).
S. 495 and H.R. 958 establish requirements for data security, as well as breach notification standards; S. 239 is limited to breach notification requirements; and H.R. 836 criminalizes the concealment of data breaches, enhances penalties for identity theft, and requires the reporting of breaches to federal law enforcement agencies. Whatever the final text of data privacy legislation, we are likely to see this Congress pass federal data security legislation. Congressional leaders have emphasized that data privacy and breach notification are top priorities.
Federal legislation is necessary, some believe, in order to standardize what currently is a patchwork of requirements among the 35 states with data security and breach notification requirements.
Following are some of the more notable provisions of the proposed bills:
1) Pre-emption
All four bills would pre-empt state laws pertaining to similar subject matter. However, the bills do allow states to specify additional information that must be included in data breach notifications.
2) Regulatory enforcement and rulemaking
S. 239, H.R. 958 and S. 495 all delegate to the FTC the responsibility of establishing guidelines for data security and breach notification. Although the FTC’s mandate until now has not included breach notification, the FTC has a fair amount of experience with enforcing data security standards under its Section 5 (15 U.S.C. § 45) authority.
The proposed legislation delegates authority to the FTC to promulgate regulations based on criteria similar to those the FTC already follows in its Section 5 cases: establishment of security policies, enforcement of those policies and monitoring of potentially vulnerable systems. See, e.g., H.R. 958, sec. 2.
3) Breach notification duty belongs to data owner, not licensee or third-party data manager
H.R. 958 and S. 495 explicitly state that a third-party data manager’s only notification obligation after a breach is to alert the data owner, i.e., the entity on behalf of which the data is maintained, to the breach. S. 239 also imposes such an obligation, but notes that the proposed legislation does not prevent a data owner and a third party from allocating through contract the burden of notifying individuals’ whose data were compromised. The other two proposals are silent as to this issue.
4) No private cause of action
All four bills explicitly state that they do not create new private federal causes of action. Furthermore, they note that violations of their provisions cannot give rise to private actions under state consumer protection laws. Rather, only state Attorneys General may sue for underlying violations of federal data privacy statutes under state consumer protection laws. The FTC may join or move to stay such proceedings.