As passed by the House of Representatives on December 8, 2009, the Data Accountability and Trust Act would create federal data security standards, a national breach notification requirement, data destruction mandates, and special requirements for "information brokers."
The Act will now move to the Senate, where it likely will be considered together with recent bills from various Senate Committees, two such bills we discussed in a recent post.
The Act would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information (or contracts to have any third party entity maintain such data). In short, most businesses in the United States would be subject to the Act and required to establish and implement data security policies and procedures. Like other data security regulations, the Act would permit covered persons, when developing their policies and procedures, to take into account:
- the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
- the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
- the cost of implementing such safeguards.
These new standards will be regulated by the Federal Trade Commission (FTC). Violations of the Act would be enforced primarily by state Attorneys General, although the FTC maintains a right to intervene in those actions. Penalties can be substantial. For example, in the case of a violation of the breach notification requirement, the penalty amount would be calculated by multiplying the number of violations by an amount not greater than $11,000. Each failure to send notification would be treated as a separate violation, with a maximum civil penalty of $5,000,000.
Of course, it will be some time before the Act would become effective, if at all, and it may be substantially modified prior to enactment. Still, recent actions by Congress (for example the enhancements to HIPAA under the American Recovery and Reinvestment Act of 2009) and the states suggest a national standard for protecting personal information is only a matter of time. Companies should be gearing up to deal with these emerging information risks.
For purposes of the Act, the term ‘personal information’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
- Social Security number.
- Driver’s license number or other State identification number.
- Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
The Act would require a covered person to establish policies and procedures that include:
- A policy concerning the collection, use, sale, other dissemination, and maintenance of such personal information.
- Naming an officer or other point person concerning the management of information security.
- Developing a process for identifying and assessing any reasonably foreseeable vulnerabilities in the person’s electronic systems, include regularly monitoring for breaches of security.
- Having a process for taking preventive and corrective action to mitigate against any such vulnerabilities.
- Implementing a process for disposing of obsolete data in electronic form containing personal information.
The Act also would establish a nationwide data breach notification standard. The new standard would be similar in overall format to existing state breach notification laws and the new notification requirement under the HIPAA privacy regulations. While the Act would require notice only if there is a reasonable risk of identity theft, fraud, or other unlawful conduct, persons required to provide notification under the Act must assist affected persons with obtaining certain credit information.
Specifically, upon request of an individual whose personal information was included in the breach, the covered person must provide, or arrange for the provision of, to each such individual and at no cost, consumer credit reports from at least one of the major credit reporting agencies beginning not later than 2 months following the discovery of a breach of security and continuing on a quarterly basis for a period of 2 years thereafter.
The new law would also impose heightened requirements to safeguard personal information on “information brokers”:
commercial entities whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.
These heightened requirements would include, among other things, a post-breach audit, procedures to verify accuracy of personal information, audit logs for information accessed or transmitted, and prohibitions on pretexting.