Federalizing Data Security Breach Rules
October 20, 2011 by Bierce & Kenerson, P.C.
Virtually all U.S. states have adopted “data security breach notification” laws to alert individuals and local governmental officials of possible identity theft. In California, victims of such breaches can sue for damages. On September 22, 2011, Senator Richard Blumenthal (Democrat, Connecticut) introduced a draft federal law on data protection: Personal Data Protection and Breach Accountability Act of 2011, S. 1535, 112th Cong., 1st Sess. It would create a new federal crime of intentionally failing to disclose a security breach. It would also coordinate breach reporting with criminal investigations. It would create federal standards that could effectively supersede state laws on security breach notification and repair of an individual’s identity.
The draft law would apply particularly to financial institutions under the Gramm-Leach-Bliley Act and HIPAA-covered entities. Each would need to implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards “appropriate to the size and complexity of the business entity and the nature and scope of its activities.” While the draft law identifies certain criteria for the design, risk assessment and risk management and control, the sufficiency of any security program will depend on the facts and therefore invites litigation.
Scope. Senator Blumenthal, a former prosecutor in Connecticut, would criminalize data security breaches by data brokers who sell access to personally identifiable information (“PII”), especially sensitive PII. The draft bill seeks to achieve several goals:
- to protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach,
- providing notice and remedies to consumers in the wake of such a breach,
- holding companies accountable for preventable breaches,
- facilitating the sharing of post-breach technical information between companies, and
- enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.
Preemption of Conflicting State Laws. Under Section 221(a), the draft federal law would supersede any other federal or state law “relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.” Preemption would not apply to state common law (including liability under trespass, contracts or tort law) for damages caused by a failure to notify an individual following a security breach. Nor would this act pre-empt existing federal laws governing GLB-covered financial institutions or HIPAA / HITECH covered entities or business associates for vendors of personal health information.
However, the remedies of individuals to sue for damages, punitive damages and equitable relief under Section 205 “are cumulative” with any other rights and remedies. This appears to conflict with federal preemption under Section 221(a), a challenge for courts interpreting the statutory text.
Definition of a “Security Breach.” Under the proposed law, the term “security breach” would mean the “compromise of the security, confidentiality, or integrity of, or the loss of, computerized data through misrepresentation or actions that result in, or that there is a reasonable basis to conclude has resulted in:
(i) the unauthorized acquisition of sensitive personally identifiable information; or
(ii) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.
The term would not include:
(i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure;
(ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements or the release of information obtained from a public record; or
(iii) any lawfully authorized criminal investigation or authorized investigative, protective, or intelligence activities that are carried out by or on behalf of any element of the intelligence community and conducted in accordance with the United States laws, authorities, and regulations governing such intelligence activities.
Legal Standards for Outsourcing by Data Brokers. In governmental procurements involving data brokers, the draft law would establish a standard of care for outsourcing contracts. It would impose “monetary or other penalties” (such as debarment) if a government contractor “knows or has reason to know that the sensitive personally identifiable information being provided is inaccurate, and provides such inaccurate information.” Where the government contractor hires an outsourcing service provider, the data broker must follow some vague standards of “appropriateness” and “reasonableness.” It must:
(A) exercise appropriate due diligence in selecting those service providers for responsibilities related to sensitive personally identifiable information;
(B) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and
(C) require such service providers, by contract, to implement and maintain appropriate measures designed to meet the objectives and requirements governing the privacy and security of sensitive personally identifiable information.
By using such vague standards, the draft law would invite litigation to identify what meets these standards.
Security Auditing Standards. The proposed law would mandate that federal procurement officers purchasing PII from data brokers should conduct a “privacy impact assessment” and adoptsecurity audit regulations. Of interest, the scope of such regulations would be very broad, an indication of the minimum prudent levels of security auditing in today’s commercial marketplace. For procurements exceeding $500,000, the General Services Administration would need to review the contracts for assessment of the data security program. Such review would apply to all “contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating sensitive personally identifiable information.” [Section 301.]
For such procurements, each federal agency would need to adopt regulations that specify—
(A) the personnel permitted to access, analyze, or otherwise use such databases;
(B) standards governing the access, analysis, or use of such databases;
(C) any standards used to ensure that the sensitive personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency;
(D) standards limiting the retention and redisclosure of sensitive personally identifiable information obtained from such databases;
(E) procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness;
(F) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases;
(G) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases;
(H) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and
(I) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases.
[Section 303, amending Section 208 of the E-Government Act of 2002, 44 USC 3501 Note.]
“Safe Harbor” from GSA Debarment. The draft law would implement a process for GSA evaluation of security standards. As a “safe harbor,” the data privacy and security program of a data broker would be deemed sufficient if the data broker were to comply with or provide protection equal to “industry standards,” as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such data broker.
Enforcement. The draft law would allow enforcement by State attorneys general, acting for their citizens, and individual victims. The U.S. Attorney General could also enforce. Liability would be capped at $500 per day per individual victim, up to $20 million per incident. Punitive damages would be available for “intentional and willful violation” and for simple failure to adopt a compliant personal data privacy and security program.
Impact on Outsourcing. Companies and their IT outsourcing providers have suffered major security breaches in the past. The draft law lacks clear guidance on what is “adequate” or “sufficient” or “reasonable,” except for a safe harbor that refers to industry standards as blessed by the FTC. The FTC would thereby become a de facto federal data protection authority (“DPA”).
There are benefits in having a uniform law on data protection and security breach. However, this draft does little to add certainty. By adopting a “safe harbor” based on a regulator’s interpretation of “best practices,” the draft law risks depriving prudent data brokers and their outsourced service providers of legitimate defenses to avoid contract penalties in government contracts and in claims by individual victims of identity theft.
Finally, the enforcement structure effectively exposes data brokers and their outsourcing service providers to statutory and punitive damages, and invalidates any contrary arbitration agreement. The law would add significantly to the costs of breaches and will undoubtedly benefit the litigating legal profession.
For related topics: