Last Thursday, Reps. Michael Burgess (R-TX), Marsha Blackburn (R-TN), and Peter Welch (D-VT) circulated a draft of a long-anticipated bipartisan data security and data breach notification bill, and it was certainly worth the wait. This bill has been in the works for months, but several of its original co-sponsors retired or lost re-election last year, delaying its release. The bill's bipartisan co-sponsorship is a major step towards establishing a national data breach notification standard, and it represents the first completely original such bill in years. The House Energy & Commerce Committee's Subcommittee on Commerce, Manufacturing and Trade will be holding a hearing tomorrow to discuss the draft.
The draft represents a true compromise between the bills we've seen from the respective parties over the last several years, and strikes the appropriate balance between protecting consumer data and regulating industry. Some of the key provisions of the bills are as follows:
- It creates a federal standard for data breach notification that will replace the complex web of 47 state standards currently in place;
- It imposes a federal data security standard requiring companies to "implement and maintain reasonable security measures and practices to protect and secure personal information;"
- It requires companies to conduct an investigation following the discovery of a security breach and notify individuals if they determine that there is "reasonable risk" that the breach has resulted in harm to those individuals;
- It requires notification within 30 days after a company has conducted a risk assessment to determine the scope of the breach and restored the system's integrity;
- It allows for substitute notification when direct notification is not feasible;
- It Contains special exceptions on notification requirements for SMBs (such as not requiring them to set up a call center);
- It allows for enforcement by both the FTC and state attorneys general;
- It caps total penalties at $2.5M per violation, but requires consideration of a company's ability to pay and impact on their ability to continue to do business when determining the penalty amount;
- It forbids private causes of action;
- It contains an exemption for data rendered unusable or unreadable;
- It contains an exemption for information obtained from a publicly available source.
There are still some unresolved questions in the draft, however, most notably about whether the preemption provision will prevent consumers from suing companies under state tort laws for damages stemming from breaches. We have long argued that a federal standard should preempt such laws. Additionally, the draft currently permits both the FTC and state AGs to punish companies for the same violation, meaning they could be hit with multiple fines for the same breach. We will continue to work towards resolving these issues.
In the meantime, tomorrow's hearing will go a long way towards determining whether this bill can get the necessary support to actually pass into law. We're still a ways from getting there, but this draft may represent the best chance at passing a national data breach notification standard in several years.