As healthleadersmedia.com notes, a data breach notification bill has been proposed by Senators Pryor (D-AR) and Rockefeller (D-WV). The wording is similar to existing state and federal legislation concerning breach notification, including safe harbor exemptions if drive encryption software is used to secure data. And yet, it amends many of the shortcomings found in their existing laws.
The bill is composed of essentially two parts: an information security section and a breach notification section. Per the definitions, the bill would cover pretty much any organization or agency in the US: The term "covered entity" means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity, and any charitable, educational, or nonprofit organization, that acquires, maintains, or utilizes personal information. The government appears to be excluded. The type of information that is to be protected includes an interesting twist. The term personal information includes a person's: First name or initial and last name; or Address; or Phone number in combination with one or more of the following: SSN or any other "government document used to verify identity," such as driver's license, passport number, military ID number, etc. Financial account numbers; credit or debit card numbers; and any password, security, or access codes for gaining entry to a financial account The inclusion of the address and phone numbers is a new twist. I guess one could make an argument for unlisted phone numbers. I mean, such information is technically not in the public domain, in the sense that they're not listed in the white pages. On the other hand, it's hard to argue that telephone number = personal information.
The bill is composed of essentially two parts: an information security section and a breach notification section.
Per the definitions, the bill would cover pretty much any organization or agency in the US:
The term "covered entity" means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity, and any charitable, educational, or nonprofit organization, that acquires, maintains, or utilizes personal information.
The government appears to be excluded. The type of information that is to be protected includes an interesting twist. The term personal information includes a person's:
First name or initial and last name; or Address; or Phone number in combination with one or more of the following: SSN or any other "government document used to verify identity," such as driver's license, passport number, military ID number, etc. Financial account numbers; credit or debit card numbers; and any password, security, or access codes for gaining entry to a financial account
in combination with one or more of the following:
The inclusion of the address and phone numbers is a new twist. I guess one could make an argument for unlisted phone numbers. I mean, such information is technically not in the public domain, in the sense that they're not listed in the white pages. On the other hand, it's hard to argue that telephone number = personal information.
The bill would require that covered entities do a number of things as precautionary measures. Create a security policy regarding personal information Appoint a person responsible for info security Identify and assess foreseeable vulnerabilities (reasonable ones), including regular monitoring for breaches Prevent and mitigate such vulnerabilities Create a process for disposing of person information, electronic as well as paper-based documents There is also a special section for information brokers. Not complying with the above means civil penalties, capped at $5 million, can be pursued by state Attorneys General. The actual fine would calculated by multiplying the number of days that a covered entity is not in compliance with such section by an amount not greater than $11,000. In other words, you'll be fined for the first 454 days, and on the 455th day the cap kicks in. Seems to me that, perhaps, after the 365th day, the fines ought to ratchet up or something. I mean, dang, it's been a year already. I should mention that the above penalties are also inflation-adjusted, annually (tied to the Consumer Price Index increase).
The bill would require that covered entities do a number of things as precautionary measures.
There is also a special section for information brokers.
Not complying with the above means civil penalties, capped at $5 million, can be pursued by state Attorneys General. The actual fine would calculated by
multiplying the number of days that a covered entity is not in compliance with such section by an amount not greater than $11,000.
In other words, you'll be fined for the first 454 days, and on the 455th day the cap kicks in. Seems to me that, perhaps, after the 365th day, the fines ought to ratchet up or something. I mean, dang, it's been a year already.
I should mention that the above penalties are also inflation-adjusted, annually (tied to the Consumer Price Index increase).
In the event that personal information is breached by a covered entity, the FTC and affected US citizens must be notified. If a third party experiences the breach, the covered entity that owns the data must be informed, which will in turn notify people and the FTC. Nothing new here. If more than 5,000 people are affected by the breach, credit reporting agencies must be notified as well, preferably before affected people are notified. I guess the logic behind it is, it will take time to notify people and have them act to alert the credit reporting agencies. Why not, if you will, bypass the "middleman" and go straight to the guys who can do something--the credit reporting agencies--to curtail potential dangers? Notifications must be made without unreasonable delay, with a limit of 60 days since the discovery of the breach. There are exceptions for law enforcement and national security issues, restoring the integrity of attacked systems, etc. Unlike most previous laws, there are requirements on what must be included in the breach notification: (Estimated) date of the breach What type of personal information was breached A free phone number for finding out more information Notice that affected people are entitled to receive 2 years of consumer credit reports, or 2 years of credit monitoring services, for free Contact information for major credit reporting agencies as well as to the FTC Now, the 2-year, free-of-charge credit monitoring is news to me. Unless, of course, what it implies is, it's free to people because the covered entities are paying for them. There substitute notifications--such as e-mail or a public posting on a website--can be used if less than 1,000 people are involved in the breach, or if it ends up costing too much (no specification on what's too much, though). Such notifications also have the same content requirements found above. Small businesses and small non-profits can receive a partial waiver, depending on the circumstances. Civil penalties can be pursed for not complying with the breach notification legislation, also with a cap of $5 million. The fine itself is calculated as follows: multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification ... to a resident of the State shall be treated as a separate violation. In other words, have a breach of 10 people and you're potentially facing a maximum penalty of $110,000. However, something must have been royally wrong in order for such a penalty to be assessed.
In the event that personal information is breached by a covered entity, the FTC and affected US citizens must be notified.
If a third party experiences the breach, the covered entity that owns the data must be informed, which will in turn notify people and the FTC. Nothing new here.
If more than 5,000 people are affected by the breach, credit reporting agencies must be notified as well, preferably before affected people are notified. I guess the logic behind it is, it will take time to notify people and have them act to alert the credit reporting agencies. Why not, if you will, bypass the "middleman" and go straight to the guys who can do something--the credit reporting agencies--to curtail potential dangers?
Notifications must be made without unreasonable delay, with a limit of 60 days since the discovery of the breach. There are exceptions for law enforcement and national security issues, restoring the integrity of attacked systems, etc.
Unlike most previous laws, there are requirements on what must be included in the breach notification:
Now, the 2-year, free-of-charge credit monitoring is news to me. Unless, of course, what it implies is, it's free to people because the covered entities are paying for them.
There substitute notifications--such as e-mail or a public posting on a website--can be used if less than 1,000 people are involved in the breach, or if it ends up costing too much (no specification on what's too much, though). Such notifications also have the same content requirements found above.
Small businesses and small non-profits can receive a partial waiver, depending on the circumstances.
Civil penalties can be pursed for not complying with the breach notification legislation, also with a cap of $5 million. The fine itself is calculated as follows:
multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification ... to a resident of the State shall be treated as a separate violation.
In other words, have a breach of 10 people and you're potentially facing a maximum penalty of $110,000. However, something must have been royally wrong in order for such a penalty to be assessed.
One of the glaring loopholes found in data breach notification legislation goes like this: A covered entity shall be exempt from the requirements under this section if, following a breach of security, such covered entity determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. This is tantamount to putting the fox in charge of the chicken coop, and this bill has the same language (indeed, I lifted the above straight off the bill). However, the bill has a presumption clause: the above determination can only be made if personal information truly has been rendered "unusable, unreadable, or indecipherable through a security technology or methodology." Furthermore, such technology must be one accepted by experts in information security. In other words, strong encryption like AlertBoot would pass the test, weak encryption probably not, and password-protection not at all.
One of the glaring loopholes found in data breach notification legislation goes like this:
A covered entity shall be exempt from the requirements under this section if, following a breach of security, such covered entity determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.
This is tantamount to putting the fox in charge of the chicken coop, and this bill has the same language (indeed, I lifted the above straight off the bill). However, the bill has a presumption clause: the above determination can only be made if personal information truly has been rendered "unusable, unreadable, or indecipherable through a security technology or methodology."
Furthermore, such technology must be one accepted by experts in information security. In other words, strong encryption like AlertBoot would pass the test, weak encryption probably not, and password-protection not at all.
Related Articles and Sites:http://www.healthleadersmedia.com/print/LED-255215/Data-Security-Breach-Bill-Calls-for-Strict-Notification-Requirementshttp://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:s3742is.txt.pdf