The latest attempt at creating a US Federal data protection / data breach notification law was recently introduced in the Senate. The “Data Security and Breach Notification Act of 2012” (S.3333) was submitted by Sen. Pat Toomey (R-PA) with the support of Sens. Olympia Snowe (R-ME), Jim DeMint (R-SC), Roy Blunt (R-MO) and Dean Heller (R-NV). You can find a discussion of the bill at The Hill.
Although I have discussed the difficulties posed by the state-by-state patchwork of data breach notification laws across the US, and agree – even while being a firm believer in the notion of subsidiarity or what some refer to as “states’ rights” – with the need for a federal law to both reduce risk for businesses and improve all citizens’ rights, I’m not sure this is the right bill. Here’s why:
- “Reasonable” Protection. The proposed bill requires businesses to take “reasonable measures to protect and secure” electronic personal information. It goes on to require notification if the organization “reasonable believes” that protected data have been “accessed or acquired by an unauthorized person” and that it “has caused or will cause identity theft or other financial harm.” Although existing case law at the state level may help, I foresee years of court battles trying to establish what “reasonable” is – which, while enriching the lawyers, does not help businesses or consumers move beyond the current hodgepodge. And of course privacy advocates are not happy with this low data protection standard.
- Encryption Safe Harbor. As with many such laws, there’s a “safe harbor” clause for data that has been “encrypted, redacted, or secured by any other method or technology that renders the data elements unusable.” The lack of clarity here – does this include unsalted MD5 or SHA-1 hashes (both of which have long been known to be insecure)? – does not help businesses understand what’s needed. So, it will be up to the FTC to follow the lead of HHS in providing specific examples of “reasonable” encryption: (1) for data at rest, encryption consistent with National Institute of Standards and Technology Special (NIST) Publication 800-111 and; (2) for data in transit, encryption that complies with Federal Information Processing Standard (FIPS) 140-2.
- Notification Timeline. Unless delayed by law enforcement or for national security purposes, this proposal requires that notification of a breach be made “as expeditiously as practicable and without unreasonable delay.” This mirrors what is currently enshrined in many state laws, but many state laws (e.g., the recently updated statutes in VT) and federal laws (e.g., the HITECH Act) have much more clearly defined timelines which most common folk might better understand as “timely.”
- Penalties. The proposed bill would classify violations as “an unfair or deceptive business practice” to be enforced by the FTC and punishable by fines NTE $500,000 “for all violations resulting” from a) the “same related act of omission” or b) “a single breach of security.” Unfortunately there’s no provision for willful vs. accidental failures to protect data or notify in the case of a breach, unlike other similar laws (e.g., the HITECH Act), so it will be left to the FTC to flesh this out. I don’t think this is in the interest of either businesses (too much ambiguity) or consumers (insufficient “stick”).
- Preemption. As one would expect, this proposal would overrule all state and local laws covering data protection and breach notifications (exemptions are included for GLBA and HIPAA / HITECH) – this is good for both businesses (harmonized requirements) although consumers, especially those living in states with more stringent laws like California or Massachusetts, may not agree. Equally distressing to privacy advocates I suspect is the provision to require notification to the Secret Service or the FBI if the breach exceeds 10,000 individuals’ records, replacing many state laws requiring notification to the state AG or other agency at levels as low as 500 breached records – and thus we lose a level of transparency which helps focus the mind; after all, as Justice Brandeis once wrote, sunlight is said to be the best of disinfectants.
So, there you have it. There’s a bit more meat on these bones, so you might be interested in reading the proposed bill in full here; it’s not very long (a reasonably easy-to-read 14 pages), and it’s probably worthwhile as it may impact the future of data protection laws in the US. But, as I’ve written before, I suspect it’s going to be some time before we actually see a US national law on data protection and breach notification (even more so now that we’re in the 2012 election cycle). Let’s just hope we see some further refinement as this proposal wends its way thru the process.