Data Protection Report - Norton Rose Fulbright

Leading up to the President’s State of the Union, the White House previewed several potentially sweeping cybersecurity initiatives—including a proposed federal law that would create a single national breach notification standard, entitled the Personal Data Notification & Protection Act (the “Act”). The President argued that the proposed law will benefit consumers and alleviate the confusion and cost born by companies that must navigate the “patchwork” of differing state laws that currently governs the area of breach notification. In our view, the national breach law proposal may receive bipartisan support, but as always it is very difficult to handicap the chances of passage with a divided government.

The Act contains a number of requirements that reflect the commonalities among the various existing state breach notification laws, but also proposes some new obligations:

Preemption of state laws

The proposed law would establish a national standard by “supersed[ing] any provision of the law of any State, or a political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data.” State attorneys general and law enforcement would have the authority to bring civil actions, enforcing compliance with the federal law, enjoining violations, and imposing civil penalties.

Our take: Preemption is a key feature of the proposal that would allow a national breach standard to emerge. The provision allowing states to enforce the law should alleviate states’ concerns that they would lose control over breach enforcement. Given that the law is so similar to most state breach notification laws, for many states, the combination of a federal standard and state enforcement would mean no substantive changes to the breach notification and enforcement climate. Put differently, while eliminating a wrinkle or two in each state law would have no noticeable effect on protections offered by state laws, the national law’s elimination of the entire 47+ wrinkles would be a fountain of youth for the businesses tasked with complying with existing state laws. However, the scope of the preemption should be carefully considered, and, if the law does not truly preempt all aspects of existing state law, it may not be successful. For example, while some state breach laws require notification for “paper breaches” (involving personal information contained on paper documents), apparently the Act would not preempt that aspect of those state laws.

Personal information

Using the term “sensitive personally identifiable information,” the proposed law defines six categories of personal data within the law’s scope:

  • A first name or initial and last name, plus at least two of the following: home address or telephone number; Mother’s maiden name; and birthdate;
  • Social security number, driver’s license number, passport number, or other government-issued unique identification number;
  • Unique biometric data like a finger print, voice print, or retina or iris image;
  • Unique account identifier like an account number, user name, or routing code;
  • User name or e-mail, plus a password or security question and answer; or
  • Any combination of a first name or initial and last name; a unique account identifier; and any security code, access code, or password.

Our take: This is an inclusive definition that respects the work that states have done in defining the personal information, the unauthorized acquisition of which matters to consumers. The Act is without a doubt much broader in defining personal information than the majority of existing state laws that follow the “name+” model. Rather, the Act encompasses the scope of the definitions advanced by outliers, such as North Carolina. We envision that states will welcome this aspect of the federal proposal, in part because there is momentum to expand the definitions, such as the recent change in the California law that added online credentials to the list.

Security breach

The proposed notification requirements will be triggered by the “discovery of a security breach” of “sensitive personally identifiable information” that “has been, or is reasonably believed to have been, accessed or acquired.” The acquisition must be “unlawful” or the access must be for an “unauthorized purpose” or “in excess of authorization.”

Our take: As with the definition of “personal information,” the breach threshold is an inclusive standard that reflects existing state laws. While most states premise the requirement to notify on “acquisition” of, rather than “access” to, the data, by encompassing the outliers, the Act is more likely to garner states’ support.

Harm threshold

The proposed law sets forth a “safe harbor” for a business that conducts and submits, within 30 days after breach discovery, a risk assessment to the Federal Trade Commission (“FTC”) that concludes that no “reasonable risk” of harm to individuals resulted or will result from the breach. The safe harbor also includes a presumption that no reasonable risk exists “[i]f the data at issue was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field of information security.” That presumption can, however, be rebutted “by facts demonstrating that the security technologies or methodologies in a specific case have been, or are reasonably likely to have been, compromised.”

Our take: The majority of existing state laws contain a harm threshold that does not require notification (or exempts an event from the definition of a breach) when the unauthorized acquisition or access does not result in reasonable risk of harm to the affected individual, or require a material compromise of personal information as a result of the breach to trigger notice obligations. Thus, again, the concept is common to most states.  Some states that have been active in breach enforcement but do not have a harm  threshold, such as Massachusetts, might balk at the higher threshold for notification. Here, however, the requirement to submit the harm threshold analysis to the FTC might alleviate states’ concerns that the determination of the harm threshold is not vetted. With some exceptions, currently states that do provide for a harm threshold do not require the analysis to be submitted to state authorities.

Most existing state laws apply to personal information that’s unencrypted or encrypted information if the key is also compromised. The Act again accommodates outliers by providing an opportunity to rebut the presumption of effective encryption.

Notice within 30 days

After discovery of a security breach, under the proposal, a business will need to make the required notifications “without unreasonable delay,” or, put another way, with only “reasonable delay” or 30 days or less after the discovery, unless the FTC or federal law enforcement determines otherwise. Notice to individuals, by mail, telephone, or e-mail, will be required, while additional notice via a media source will only be required under certain circumstances.

Our take: A minority of the states imposes a timeline for notification, such as Florida. In many cases, especially for complex breach situations, 30 days is not a realistic time period for notification. By comparison, the HIPAA/HITECH notification deadline for breaches of Protected Health Information is 60 days from the discovery of the incident. It is important to realize that the increasing sophistication of breaches also means that companies need to invest the time to investigate the scope and nature of the incidents. An arbitrary deadline makes it more likely that individuals will not receive accurate information and can cause serious stress (financial, personnel, and otherwise) for companies scrambling to meet the deadline.

Affected businesses

The proposed notification requirements will not apply to all businesses but only to a business “that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.” Like other federal laws, it will also only apply to those businesses that engage in or affect “interstate commerce,” which is generally easily satisfied in today’s marketplace. The proposed law also includes provisions governing businesses that engage in the above activities but do not actually own or license the breached information.

Our take: The question remains on how smaller companies will handle breaches. In today’s modern economy, a lot of small and mid-sized companies handle this volume of data on an annual basis. Moreover, the threshold is arbitrary when one considers the purpose of breach notice laws: notifying individuals so they can help themselves. Is the risk of harm to an affected individual somehow nullified if the breach occurred at a small business? We can see consumer advocates objecting to this aspect of the Act.

While at the forefront of the President’s agenda, the proposed breach notification law is presently just that—a proposal that must still navigate the legislative process and two chambers of Congress. Public and private sector leaders will soon have a chance to share their thoughts on this and other proposals. A few weeks after the State of the Union, the White House will hold its Cybersecurity Summit on February 13, 2015 at Stanford University. Federal and state government leaders and private sector representatives from a wide range of industries are anticipated to convene at the Summit and will likely address the proposed breach notification standards.

Given the widespread effect and continuing tide of cyber breaches, all sectors and industries should understand and stay updated on this and other proposals in the pipeline that could bring significant changes to the legal landscape of cybersecurity.