In August, Senators Mark Pryor, D-Ark., and John Rockefeller, D–W.Va., introduced the Data Security and Breach Notification Act, S 3742, which requires firms that engage in the collection and storage of personal information to meet baseline standards for protecting consumers’ personal information. The proposed legislation would apply to persons and entities over which the Federal Trade Commission has authority as well as nonprofit organizations. This means that consumers, business and nonprofit organizations should be aware of the requirements.

The Act’s definition of “personal information” goes beyond what is traditionally collected by Internet marketers. Specifically, the bill defines personal information as "an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number; (ii) driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account." This definition therefore excludes those marketers who are only collecting a first name and e-mail address from its scope. Instead, only those who are collecting a name and e-mail in combination with what has traditionally been deemed to be more sensitive data, such as Social Security numbers, drivers’ license numbers, or financial data, must be cognizant of its requirements.

Some of the important provisions of the bill are as follows:

• It would require the FTC to promulgate regulations to require every covered entity that owns or possesses personal information, or that contracts with a third party entity to maintain such data for such covered entity, to establish and implement policies and procedures for the treatment and protection of personal information. Such policies and procedures would include several factors addressing the standards involved for protecting the data, including requiring covered entities to have a security policy, an officer as a point of contact, a process for identifying vulnerabilities, and rules in place for disposing of electronic and paper data.
• It would require a covered entity to notify the FTC and affected individuals of information security breaches. The Act sets forth requirements concerning such notification, including the method of notification and timeliness requirements.
• It also provides a notable exemption from notification requirements. The notification is not required if the covered entity determines that there is no “reasonable risk of identity theft, fraud, or other unlawful conduct.” Thus, if the data is rendered unusable, unreadable, or indecipherable through a security technology or methodology, there would be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data.
• The Act requires information brokers to submit their security policies to the FTC in conjunction with a notification of a security breach notification or on FTC request. It also authorizes the FTC to conduct information security practices audits of brokers or require brokers to conduct independent audits.
• Requires information brokers, which are essentially companies that buy or sell personal data, to submit their security policies to the FTC in conjunction with a notification of a breach of security or upon request of the Commission. The Act also delineates requirements concerning such notification, including method of notification requirements and timeliness requirements. As with the covered entities, the Act also provides an exemption from notification requirements if the covered entity determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.

The Act aims to supplant the patchwork of state laws that currently govern security and notification requirements. At present, 46 states, as well as the District of Columbia, have data-breach laws on their books, although the requirements of these laws vary, which makes it difficult for companies to navigate them in the event of a breach. The law, if passed, would be enforced by the FTC and state attorneys general.

On September 22, the Consumer Protection, Product Safety, and Insurance Subcommittee of the Senate Committee on Commerce, Science, and Transportation will be holding a legislative hearing on the Act.

Arent Fox is monitoring this issue. Please contact Anthony Lupo or Sarah Bruno if you have questions.

Anthony V. Lupo
lupo.anthony@arentfox.com
202.857.6353

Sarah L. Bruno
bruno.sarah@arentfox.com
202.775.5760