by Mehmet Munur
The Obama Administration unveiled
a proposal for a Cybersecurity legislation
on May 12 that also includes a national standard for breach notification. The legislative proposal joins bills tackling federal breach notification and online privacy by Rockefeller, McCain and Kerry, Sterns and Matheson, Rush, and Speier.
Breach Notification Proposal
The Obama Administration's proposal includes a federal breach notification that applies to breaches of sensitive personal information with a harm trigger. Only entities using information relating to 10,000 individuals during any 12-month period are covered by the proposal.
The proposal defines a security breach as “a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in (A) the unauthorized acquisition of sensitive personally identifiable information; or (B) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.”
The proposal includes a wide variety of information that could be considered sensitive personal identifiable information, including combination of names, addresses, phone numbers, unique account numbers, social security numbers, and biometric information. The proposal also gives the Federal Trade Commission rulemaking ability to amend the definition of sensitive personal information.
The proposal requires business entities that use, access, transmit, store, dispose of or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period to notify the individuals whose information was or is reasonably believed to be accessed. If this access does not result in reasonable risk of harm or fraud to the individual, then no notification is necessary. If the breach happens to occur with a licensee of the data, then that licensee must notify the owner of the data.
The proposal requires that notification be made without unreasonable delay, but no more than 60 days following the discovery of the breach. The proposal allows the FTC to delay the notification by 30 days, and also for law enforcement or national security purposes. The proposal also gives examination powers to the FTC for evidence of these notifications.
The proposal also includes a national security exemption and a risk assessment safe harbor. The national security exemption to notification would be invoked if the Secret Service or the FBI determine that notification would reveal sensitive sources or impede law enforcement investigations. The safe harbor would be invoked if an entity conducted a risk assessment that determined that data was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field. In addition, the business entity must notify the FTC in writing of the risk assessment and its decision to invoke the safe harbor.
This safe harbor is certainly different from exemptions to notification built into state breach notification laws and HITECH. Some state breach notification laws exempt encrypted data from notification by defining encrypted data as an exemption to a breach. Under the administration’s proposal, assuming that encryption satisfies the “rendered unusable, unreadable, or indecipherable” standard, then the business entity would still have the obligation to notify the FTC of its risk assessment and its decision to invoke the safe harbor within 45 days. While a similar documentation obligation exists under HIPAA and HITECH regulations, there is no obligation to inform the HHS of the breach of “secured” information. Additionally, the HITECH legislation gave the HHS specific authority to define the technological aspect of what constituted unsecured information. The proposal does no such thing. Currently, the FTC has some broad but vague power to promulgate regulations under section 107(c). We would expect this to get remedied in the legislative process, if the proposal goes that far.
The proposal allows for notice by mail, phone, or email, if the individual has consented to that form of consent. Notice to media is available if more than 5,000 individuals are affected. The notice must include a description of the categories of sensitive personal information involved in the breach, a toll-free number to call, and the toll-free phone numbers for the three credit reporting agencies and the FTC. The proposal allows for states to include more information regarding the state’s victim protection assistance program. This appears to be the only area in the proposal that would allow divergences from state to state. Otherwise, Section 109 of the proposal would preempt all other state law relating to breach notification.
The proposal also requires the notification of credit reporting agencies and law enforcement agencies. The entities are to notify an entity designated by the Secretary of Homeland Security, who must then notify the Secret Service, FBI, and the FTC.
The proposal gives the FTC and the State Attorneys General enforcement powers. The proposal grants the FTC enforcement powers regardless of whether that entity falls under the FTC’s jurisdiction. However, the FTC must consult with the attorneys general before initiating an investigation. The proposal requires that the AGs notify the FTC of their enforcement actions before bringing an enforcement action. The FTC also retains the ability to stay, move, or consolidate actions in federal court. The proposal explicitly limits private causes of action relating to the new breach notification requirements.
Finally, the proposal excludes covered entities and vendors of personal health records that are already covered under the FTC and HHS regulations for HITECH. The effective date of the proposal is 90 days after its passage in Congress, which is a rather short period of time. The HHS and the FTC were allowed 180 days to promulgate regulations and they also provided delays in enforcement for breach notification when the HITECH regulations were finalized.
The Obama Administration proposal also includes a long awaited cybersecurity proposal that would go a long way to protect the critical infrastructure and critical information infrastructure from cyber threats. First, the proposal requires that the Secretary of Homeland Security enhance cybersecurity and cyber incident response. Second, the proposal establishes a cybersecurity protection program. Third, the proposal creates a regulatory framework around the protection of critical infrastructure.
The proposal requires the secretary to develop and maintain a risk-informed approach that improves information security of federal systems, promotes the development of technical capabilities in national cybersecurity goals, and promotes greater research, innovation, training, and investment in cybersecurity, amongst other things. Along with this approach comes the Secretary’s duty to conduct cybersecurity activities to protect critical information infrastructure. This requires the Secretary to create programs, conduct risk assessments, integrate new technologies, and create a center to serve as a focal point within the federal government for cybersecurity. To further these goals, the Secretary must carry out a cybersecurity program to protect federal systems from cybersecurity threats. The proposal also provides for privacy and civil liberties oversight due to the ability of the Secretary to intercept the content of communications associated with a known or reasonably suspected cybersecurity threat.
The proposed regulatory framework would require owners and operators of covered critical infrastructure to develop cybersecurity plans. These plans would be evaluated by non-governmental entities with expertise in the area based on accreditation processes developed by the Secretary. The entities would be required to provide annual certifications by their CEO or other accountable corporate officer that their plans have been developed, implemented, and evaluated.
Owners or operators of covered critical infrastructure are also required to promptly notify the Secretary of significant cybersecurity incidents under the proposal. Finally, the proposal gives the Secretary enforcement and rulemaking capacity relating to the proposed legislation.
Other Privacy Bills in Congress
Currently, there are several bills in the House and Senate relating to privacy. The Kerry-McCain bill primarily tracks the Department of Commerce green paper, while others range from anti-tracking proposals to comprehensive privacy legislation to breach notification.
Stearns – Matheson Data Accountability and Trust Act of 2011
introduces data breach related and privacy related obligations on covered entities. Most importantly, the bill requires notification of breaches to both the individuals and the FTC without unreasonable delay. Encryption and other methodologies determined by the FTC to render data unusable, unreadable, or indecipherable, create a presumption that there is no reasonable risk of identity, theft, or fraud to the individual. This negates the duty to notify.
The breach notification provisions for agents or third party providers are unlike other state breach notification statutes or HITECH. The bill requires only that these third parties notify the entities for which they process the data. They need not notify the individuals. However, HITECH and other state laws allow the entities to work out who may be in a better position to notify the individuals. The bill allows for written and email notification, so long as the individual has consented or it is their primary method of contact, as well as substitute notice in the form of print or broadcast. The content of the notification is similar to the requirements under the Obama Cybersecurity proposal. The bill requires the FTC to promulgate regulations regarding the security of information maintained by entities that own or possess personal information. The bill includes specific security, audit, access, and verification requirements for information brokers. Finally, the bill gives the FTC and State AGs enforcement authority over the new requirements. Civil penalties may go up to $5 million. The bill would preempt any state law that requires information security and notification of individuals. As a result, state security regulations such 201 CMR 17
in Massachusetts would likely be preempted under this bill.
Stearns – Matheson Consumer Privacy Protection Act of 2011
Kerry – McCain Commercial Privacy Bill of Rights Act of 2011
provides the FTC with rulemaking authority regarding transparent choice and tracking on the internet. The bill applies to entities collecting information concerning more than 5,000 individuals during any 12-month period who are subject to FTC authority, common carriers, or non-profit entities. The bill would also apply to personal information and unique identifier information, or any other information used with that information to identify an individual. The bill allows State AGs to bring enforcement actions, but preempts certain state law. The bill also authorizes co-regulatory framework with safe harbors with participation from the Department of Commerce. This bill would not affect GLBA, FCRA, HIPAA, COPPA, CAN-SPAM, ECPA, or VPPA.
The Jackie Speier H.R. 614 Do Not Track Me Online
bill directs the FTC to create a do-not-track mechanism. It would apply to entities that collect covered information from more than 10,000 individuals in a 12-month period. The bill broadly defines covered information to include user information and unique identifiers, such as IP addresses. It includes FTC rulemaking and enforcement authority. This bill also provides for State AG enforcement authority.
The Rockefeller Do-Not-Track Online Act of 2011
is similar to the Speier bill. This bill would also require the FTC to promulgate regulations to address tracking online. The bill allows the State Attorneys General and the FTC to bring enforcement actions for violations of the regulations. The bill allows for maximum civil liability of $12 million.
The Bobby Rush H.R. 611
“Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” or BEST PRACTICES Act is reintroduced for this year. It is a comprehensive privacy bill and also provides for FTC enforcement.
It is not unusual to have one or two privacy bills in Congress in any given year. However, this year is particularly busy and there appears to be bi-partisan support for some of these bills. When we add the urgency created by the FTC and DoC privacy papers and the Obama Administration’s focus on breach notification and cybersecurity, we may finally see a legislation pass that may affect privacy and breach notification on a national scale this year.