Proposed federal cybersecurity legislation.
Changes are on the horizon in the privacy and data security area for companies that obtain, use and/or store certain electronic personal data. Two proposed federal laws have the potential to change how entities that suffer a data breach involving such information must notify affected customers and facilitate increased information sharing about potential cyberthreats with the federal government.
Currently, forty-seven states and the District of Columbia each have separate laws defining what a data security breach is, the type of events that can trigger a company's responsibility to notify affected consumers about a breach incident and the time period in which companies must send out those notifications. A federal data security breach notification law has been proposed in the U.S. House of Representatives that would generally preempt these various state laws and impose a relatively short 30-day period in which companies would be required to notify affected consumers. The 30-day period would start from when the company restores the "reasonable integrity, security, and confidentiality of the data system." The law would not preempt other federal laws obligating entities to notify consumers of data security breach incidents, such as the Gramm-Leach-Bliley Act.
FURTHER READING: Cybersecurity and intellectual property: How protected are you? The great Big Data debate
Four steps to shed light on the information governance black hole and optimize for easier e-discovery, part 2 Getting your cybersecurity breach-ready, part 6: Handling the inevitable breach _____________________________________________________________________________________________________________________
The proposed law, H.R. 1770, would include within the definition of "personal information" several of the same data fields that are typically covered by the various state laws, such as a consumer's non-truncated social security number, financial account number or credit/debit card number in combination with any security code or password, and first and last name or first initial and last name in combination with (i) driver's license number, passport number, or other government-issued unique identification number or (ii) any two of the following data elements: home address or telephone number; mother's maiden name; or month, day, and year of birth.
Also included in the definition would be additional data fields not typically covered under state laws, such as biometric data and a consumer's unique account identifier (e.g., username or email address) in combination with a password or other security code that would permit an individual to obtain money or any other thing of value. Several states have recently amended their data breach notification laws to encompass such types of information in that state's definition of "personally identifiable information," but the vast majority of states' definitions still do not include biometric data, username, email addresses, or passwords.
Similar to most state laws, the bill would expressly exclude encrypted information from the definition of "personal information." Data that is rendered "unusable, unreadable, or indecipherable through data security technology or methodology that is generally accepted by experts in the field of information security" would also be excluded from the definition of "personal information."
Any entity that suffers a breach would generally be required to notify individuals whose personal information was affected, unless there is not a reasonable risk that the breach resulted in or would result in identity theft, economic loss or harm, or financial fraud to those individuals. The harm-based trigger is a welcome provision as over-notifying consumers for each and every security breach incident, even where there is not resulting harm, could decrease the effectiveness of the notifications as consumers become desensitized to them. More definition is needed to clarify what would and would not be considered a reasonable risk of harm though.
If the number of individuals whose personal information is breached exceeds 10,000, the entity must notify the Federal Trade Commission and Secret Service or FBI. The entity would also be required to report to a nationwide consumer-reporting agency, as defined in the Fair Credit Reporting Act, on the timing and distribution of the notices for incidents with more than 10,000 affected individuals.
The Federal Trade Commission and state attorneys general would possess enforcement authority. The bill is currently awaiting a vote in the House of Representatives and, if enacted, would become effective one year later.
If the proposed law passes and your company is subject to it, you will ultimately have to comply with the provisions in the event your company suffers a data security breach incident. While no company likes to think about the possibility that it might become the target of a data breach, there are preventative steps companies can take to minimize the impact of a breach, such as encrypting the types of data that would be considered "personal information" under the law in order to utilize the safe harbor exemption for encrypted data.
Another bill (the "Cybersecurity Information Sharing Act of 2015" or "CISA"), S. 754, is currently pending in the Senate that would enhance cybersecurity information sharing between private and government entities. CISA would permit private entities to exchange information about certain cyber threat indicators with the federal government in an effort to prevent future cyberattacks.
If enacted, the bill would require the U.S. Attorney General to, within 180 days, establish a process for companies to send cyberthreat data to a designated government agency. The Department of Homeland Security would also be required to, within 90 days, implement a plan to receive data on behalf of the government. Companies who choose to share information with the federal government in accordance with CISA would be protected from liability for doing so.
The bill has received high priority in Congress after the personal data of 22 million people was hacked from the federal Office of Personnel Management (OPM) earlier this year. Proponents of the bill argue that it could help prevent cyberattacks like the one on the OPM.
CISA is not without opposition though. The industry, and even the Department of Homeland Security, have criticized the bill for its vagueness and lack of adequate privacy safeguards. The bill defines a cybersecurity indicator as any information that "is necessary to describe or identify" various red flags, such as "actual or potential" consequences of a cyberattack, including descriptions of stolen data. CISA also contains a requirement that entities submit data in real time without any delay or modification, which could hamper efforts to scrub personally identifiable information from the shared data.
The bill will be reintroduced during the Senate's September session. In an attempt to strike a balance between security and privacy concerns, Republicans and Democrats have agreed to allow each party to propose ten amendments to the bill, so it is highly likely that the final version of the bill may differ from its current one.
|Printer friendly Cite/link Email Feedback|
|Publication:||Inside Counsel Breaking News|
|Date:||Sep 8, 2015|
|Previous Article:||How awards shows and media exposure affect fashion designers' intellectual property.|
|Next Article:||Federal judge awards fees in Octane case.|