Late last week, House legislators proposed a bill, the Data Security and Breach Notification Act (the “Bill”), which would propose a nationwide standard for the reporting of data breach incidents, preempting state information security laws.
The protection of data and notification procedures provisions in the Bill are relatively standard at this point. Entities are expected to enact “reasonable” security measures and practices, though the reasonableness depends on the nature and scope of the entity at issue. However, the Bill expressly requires that notification to affected individuals be done within 30 days from investigation into the scope of breach and restoration of the data system. And, if the breach affects more than 10,000 individuals, the entity would be required to contact both the Secret Service and the FBI.
The Bill provides for enforcement by the FTC and state attorneys general (AG). A violation of either the protection or notification provisions would constitute an unfair and deceptive act or practice. The Bill would require notification to the FTC of any action by a state AG and would allow the FTC to intervene in any such action.
The House Subcommittee on Commerce, Manufacturing, and Trade held a hearing this week on the Bill, where the FTC, along with legislators and the FCC, agreed that there were positive elements to the Bill, but objected that the Bill would weaken existing consumer protections and remedies, and does not provide for FTC rulemaking authority (including an ability to adapt to changes in types of personal information subject to protection).
It is clear that no one is satisfied with the proposed Bill, but what remains to be seen is whether legislators can come together to create a law that does, in fact, simplify compliance and strengthen consumer protection.