Obama Administration Proposes Federal Data Breach Notification Standard

This January, President Obama announced a series of initiatives aimed at protecting consumer data. One of these proposals is the Personal Data Notification and Protection Act (“PDNPA” or “Act”), which would create a federal standard for data breach notifications. If passed, businesses will need to know these new requirements to prepare adequately for a data breach and to avoid potential litigation should one occur.

The proposed PDNPA would cover any business that “uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information” of more than ten thousand people in a one-year period. Such business would have to give notice to the owners of the information in the event of a “security breach” unless, “there is no reasonable risk of harm or fraud.”

Under the PDNPA, sensitive personally identifiable information includes 1) an individual’s first name or first initial and last name paired with any two of the following: home address, telephone number, mother’s maiden name, and/or birth date; 2) social security number, driver’s license number, passport number, alien registration number, or government-issued identification number; 3) biometric data; 4) financial account, debit card, or credit card number and other financial information; 5) username and password to an online account; or 6) any combination of: an individual’s first name and last name or first initial and last name, certain financial account information, and/or information that can be used to generate access codes, security codes, and passwords. The Act would also give the Federal Trade Commission (“FTC”) the authority to promulgate regulations identifying additional sensitive personally identifiable information.

A security breach of such information would occur when there is a “compromise of the security, confidentiality, or integrity of” the information, or if the information is lost, and it results in the unauthorized acquisition of sensitive personally identifiable information or unauthorized access to the information, or there is a reasonable basis to conclude that it has resulted in the unauthorized access or acquisition. When a covered business discovers a security breach it will have to give notice to the affected individuals without unreasonable delay—not to exceed thirty days minus an exception—unless there is no reasonable risk of harm or fraud to the individuals involved.

The PDNPA would give enforcement authority to the FTC, with violations of the requirements categorized as unfair or deceptive acts or practices in commerce under the Federal Trade Commission Act. In the absence of this congressional grant, the FTC’s authority to regulate data security policies of businesses is currently being disputed in FTC v. Wyndham Worldwide Corporation.

The PDNPA would not give a private right of action for violations of the Act. State attorneys general would have the authority to bring a civil action against a business in violation of the Act seeking enjoinment, compliance, and fines up to one thousand dollars per day, per affected individual (with a maximum of $1,000,000 per violation unless willful or intentional). However, a state attorney general would have to give notice of the action and a copy of the complaint to the FTC and Attorney General prior to filing the action. The Attorney General would be able to prevent a state attorney general from filing the action if it would impede a criminal investigation or national security activity, or the FTC had already initiated a proceeding under the PDNPA against the defendant.

If passed, the federal data breach standard would supersede all state laws “relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data” except for state laws requiring additional content in notifications.

Compared to Pennsylvania’s data breach standards, for example, the federal requirements include more types of data in its definition of personally sensitive information.

The federal data breach notification proposal also uses a more expansive definition of a data breach. Additionally, while the Pennsylvania law requires the actual access and acquisition of data that materially compromises the security or confidentiality of the data for an event to qualify as a data breach, the federal standard would classify both 1) an actual unauthorized acquisition or access to sensitive personally identifiable information, and 2) a reasonable basis to conclude there was an unauthorized acquisition or access of the information as a security breach that triggers the Act’s requirements when the data has been lost, or there has been a compromise in its security, confidentiality, or integrity.

Businesses that developed their data security procedures based on Pennsylvania law (or other state laws with less-stringent data breach reporting requirements) will need to revise their data breach response policies if Congress passes the PDNPA.

1 thought on “Obama Administration Proposes Federal Data Breach Notification Standard”

Leave a Comment