Pending Federal Initiatives To Further Regulate Data Privacy and Cyber Security

Transcription

1 Pending Federal Initiatives To Further Regulate Data Privacy and Cyber Security As of September 2011 Prepared for The Advanced Cyber Security Center Launch Conference The MITRE Corporation Michele A. Whitham Partner, Founding Co-Chair Security & Privacy Practice Group Foley Hoag LLP 155 Seaport Boulevard Boston, MA 02210

2 I. THE CURRENT LAW BEARING ON DATA PRIVACY AND CYBER SECURITY 1 Historically, lawmakers in the United States at both the federal and state levels have largely focused their approach to regulating cyber-space on safeguarding the privacy and security of individuals electronic data, including by specifying the requirements for notifying affected persons of a breach. The result is an array of overlapping statutes intended to protect sensitive, non-public, personal information. At the federal level, the United States Congress has to date focused on regulating data privacy and security by dividing the landscape by subject matter and promulgating fifteen (15) stand-alone federal statutes regulating specialized categories of data, principally financial data, health care information, computer and internet data, and personal communications. In contrast, forty-six (46) of the fifty (50) states 2 and the District of Columbia have enacted statutes designed to protect the privacy and security of individual s sensitive, private data (typically requiring that a person s name be delinked from such data as social security number, financial account numbers, credit card numbers, and similar information that could lead to financial loss or other personal data theft) and requiring notification to individuals of security breaches when they occur. An overview of these laws, including tables summarizing the federal and state statutes enacted to date, can be found at: Security-Center-Launch-Conference-Materials.aspx?ref=1 Finally, it should be noted that several states have taken the forwardthinking step of creating a state executive office specifically governing data security. For example, New York has created the Office of Cyber Security and Critical Infrastructure Coordination, which focuses on threats to electronic information systems, California the Office of Privacy Protection (COPP), and Colorado the Office of Cyber Security. The step of creating state agencies could foreshadow similar measures taken in the future at the federal level, as data privacy issues jump to the forefront of both individual and national security. 1 This overview of current law is exclusive of unenacted data privacy and cyber security legislative initiatives currently pending before the United States Senate or House of Representatives, which are the subject of the balance of this publication. 2 Only Alabama, Kentucky, New Mexico and South Dakota have yet to enact such statutes. -2-

3 II. PENDING FEDERAL INITIATIVES TO FURTHER REGULATE DATA PRIVACY AND CYBER SECURITY Faced with the proliferation of federal and state laws regulating piecemeal insulated segments of the privacy and security landscape (by way of example, healthcare data or financial data), Congress has over the last several years promulgated an array of federal legislative proposals directed at creating a federalized data privacy regime. Many of these initiatives have sought simply to nationalize the protection of sensitive, non-public personal information by providing for a federal law preempting the forty-six state data privacy regimes. 3 Most recently, bills aimed at promoting enhanced cyber-security of critical infrastructure and institutions (for example, the internet or the national power grid) have been proposed. This paper overviews currently pending federal initiatives and their status. A. Cyber Security Initiatives Of the fifteen (15) bills currently pending in Washington touching on privacy and security issues, only five (5) including a proposed White House cyber security initiative -- are squarely focused on cyber security per se, as contrasted to the nearly dozen bills seeking to enhance protections for various categories of non-public, sensitive information. 4 Although the Senate s February, 3 To be sure, some bills have continued the federal trend of undertaking to regulate specialized categories of data (for example, social security numbers). Examples include Protecting the Privacy of Social Security Numbers Act (S. 1199), introduced by Senator Diane Feinstein on June 15, 2011 and pending in the Senate Judiciary Committee, and bills requiring the Postal Service to omit proprietary data from noncompetitive purchases (the Postal Service modernization acts), electronic utilities to safeguard billing and energy consumption data of their customers (the e- KNOW Act), and the local educational authorities to secure educational data shared with other such authorities (the METRICS Act). 4 Relatedly, governmental initiatives to protect cyber-space are beginning to be backstopped by the efforts of private actors specializing in cyber security. In the United States, for example, the National Institute of Standards and Technology (NIST), headquartered in Gaithersburg, Maryland, launched on August 11, 2011, a National Initiative for Cyber security Education - Building a Digital Nation (NICE), a national campaign designed to improve the cyber behavior, skills and knowledge of every segment of the population, enabling a safer cyberspace. The goals of NICE are to (1) raise awareness among the American public about the risks of online activities; (2) broaden the pool of skilled workers capable of supporting a cyber-secure nation; and (3) develop and maintain an unrivaled, globally competitive cyber security workforce. In a parallel development in the EU, the inaugural World Cyber Security Technology Research Summit was held this year at the Centre for Secure Information Technologies (CSIT) in Belfast, Ireland. Among the attendees, drawn from leading research institutes, government bodies and industry, were the UK Home Office, US Department of Commerce, US Cyber Consequences Unit, Stanford University, Carnegie Mellon University, BAE systems, Thales and IBM. The conference worked to develop a collective strategy for next generation research critical to the creation of cyber security defenses, organized around the following themes: (1) adaptive cyber security technologies (e.g., self-learning technologies with embedded cyber feedback systems); (2) creation and protection of smart utility grids (e.g., development of smart grid standards and protection technologies for smart grid components); (3) security of the mobile platform and applications -3-

4 2011 initiative seeking to develop a national strategy to secure cyberspace had begun to advance, the Obama administration s May 16, 2011 cyber security proposal has resulted in Senate efforts to draft comprehensive cyber security legislation being put on hold. The remaining three pending initiatives are languishing with no action being taken. Senate and White House National Strategy Proposals 1. (Reintroduced) Cyber Security and Internet Freedom Act of 2011 (S. 413). (Introduced 02/17/11 by Sen. Joseph I. Lieberman. Hearings held by Homeland Security and Governmental Affairs Committee 05/23/11. One of seven Senate committees claiming jurisdiction over the issue. On 07/13/11 Sen. John McCain called for creation of a temporary Select Senate Committee on Cyber Security and Electronic Intelligence Leaks to break the logjam. Efforts to reconcile Senate and White House cyber security proposals put on hold 07/18/11.) Establishes in the Executive Office of the President an Office of Cyberspace Policy to (a) develop national strategy to increase security and resiliency of cyber space; (b) oversee, coordinate and integrate federal policies and activities relating to cyber security; (c) ensure that all federal agencies comply with related guidelines, policies and directives of Department of Homeland Security and other agencies; and (d) ensure that federal agencies have access to, receive and appropriately disseminate law enforcement, intelligence, terrorism and other information relevant to the security of federal, military and intelligence information infrastructure. Requires President to appoint Director of Cyberspace Policy within the Department of Homeland Security, which position intersects that proposed in H.R. 174 (described below) and to establish within DHS a National Center for Cyber security and Communications (NCCC), the Director of which would work with the private sector and lead the federal effort to secure, protect and ensure resiliency of the national information infrastructure, including by creating the United States Computer Emergency Readiness Team to collect and disseminate information on risks to the infrastructure and security controls. Declares that neither the President, the Director of the National Center for Cyber security and Communications (NCCC), nor any officer or employee of the U.S. government shall have the authority to shut down the internet, but authorizes the President to (e.g., addressing cyber security problems created by configuration and use of mobile networks); and (4) multi-faceted approach to cyber security research (accounting for, e.g., social behavioral norms, the economics of cyber security and the impact of legislation). -4-

5 declare national cyber emergencies (for period of 30 days, to be extended only with Congressional approval) and the NCCC Director to take steps to direct owners and operators to implement required response plans and emergency actions to maintain operations. Bars other federal entities from intervening in the response (including by restricting or intercepting communications, compelling disclosure or controlling infrastructure) unless determined necessary by the Director. Requires owners and operators of critical infrastructure to certify to the Director that they have implemented approved security and cyber emergency measures. Mandates readiness and capacity assessments of the federal workforce to respond to cyber security requirements. 2. White House Cyber Security Regulatory Framework for Covered Critical Infrastructure Act (Introduced 05/16/11.) Dual focus on (a) implementing national cyber security program for computer networks and critical infrastructure and (b) mandating a national standard for data breach notification. As to national cyber security, the White House proposal would require the Department of Homeland Security (DHS) to work with the private sector to identify core critical-infrastructure operators and to prioritize the top cyber threats and vulnerabilities facing these entities. Such operators (including those already reporting to the SEC) would be required to develop cyber security risk mitigation plans that would be assessed by third-party, commercial auditors. The proposal also establishes stronger penalties for computer crimes, beefs up cyber security staffing at DHS, and updates the Federal Information Security Management Act to improve cyber security of federal information technology systems. See section by section description of the proposed legislation at As to the national data breach notification standard, the proposal would cover businesses that collect, use, transmit, retain or dispose of sensitive personally identifiable information on more than 10,000 individuals within a 12 month period, exclusive of businesses covered by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The proposal defines sensitive, personally identifiable information (SPII) as name combined with any two of full birth date, home address or telephone number, or mother s maiden name. SPII also includes full Social Security, driver s license, passport or other government issues identification number, biometric data, a unique financial account or payment care number, or other financial information. Covered businesses would be required to notify individuals within 60 days of SPII being unsecured by technology and to notify the Department of Homeland Security of a breach involving (a) more -5-

6 than 5,000 individuals; (b) a database containing information on more than 500,000 individuals; (c) a database owned by the federal government; or (d) a database containing SPII of federal employees or contractors. DHS notification would be required at least 72 hours being providing notice to affected individuals or within 10 day of discovery of the breach, whichever comes first. Breaches affecting more than 5,000 individuals in any one state would require the business to notify the individuals and also post notices in news media outlets. The proposal also includes three breach notification exemptions, however: (1) a risk of harm trigger for when notice is required, exempting covered businesses that notify the FTC within 45 days that, upon investigation, they have concluded that there is no reasonable risk that the security breach has resulted or will result in harm; (2) an exemption for businesses that use a program that blocks unauthorized financial transactions before they are charged to individual accounts while notifying the affected individuals of the attempted security breach; and (3) an exemption if the U.S. Secret Service or FBI determines that notice could reveal sensitive source or methods or damage national security. The FTC would promulgate and enforce breach notification rules; state attorney generals would be authorize to file enforcement actions and impose civil penalties of up to $1,000,000 per security incident that is not willful or intentional. Individual lawsuits would be prohibited and existing state breach notification laws would be preempted. See fact sheet on the White House proposal at Stalled House Initiatives 3. Homeland Security, Cyber and Physical Infrastructure Protection Act of 2011 (H.R. 174) (Introduced 1/05/11 by Rep. Bennie G. Thompson. Referred to House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on 01/31/11. No further action.) Amends the Homeland Security Act of 2002 to establish within the Department of Homeland Security (DHS) an Office of Cybersecurity and Communications, to be headed by an Assistant Secretary and to include (a) the United States Computer Emergency Readiness Team; (b) a Cybersecurity Compliance Division; and (c) other DHS units with primary responsibility for emergency or national cyber security. The Office would establish and enforce cyber security requirements for civilian nonmilitary and non-intelligence community federal systems to prevent, respond to and recover from cyber attacks and incidents The Act would also require all federal entities to report any cyber incidents on their networks to the Office, which would be required to research each incident and -6-

7 report on the extent of compromise, the attackers, the method of penetration, the ramifications and recommended mitigation activities. In addition, the Office would (a) establish and enforce cyber security requirements for private sector computer networks within covered critical infrastructures; (b) be required to share information regarding cyber security threats, vulnerabilities and proposed mitigations; (c) designate information received and provided to federal agencies and critical infrastructure owners and operatives as sensitive security information and enforce requirements for handling, storage and dissemination; and (d) support research, development, testing, evaluation and transition of cyber security technology relevant to large-scale, high-impact attacks. 4. Executive Cyberspace Coordination Act of 2011 (H.R. 1136). (Introduced 03/16/11 by Rep. James R. Langevin, RI. Referred to House Subcommittee on Cyber security, Infrastructure Protection and Security Technologies 03/25/11. No further action.) Establishes National Office for Cyberspace (NOC) within the Executive Office of the President, to serve as principal office for coordinating cyberspace policies, procedures and information bearing on the cyber security of federal information systems. Requires the NOC Director to (1) develop and update information security policies and procedures; (2) establish a national cyber security education and computer literacy program; (3) review federal agency budgets relating to the protection of information infrastructures; and (4) ensure the operation of a central federal information security incident center. Requires the promulgation of information security standards for federal information systems, a vulnerability assessment for all major information systems, and annual independent audits of each federal agencies information security programs and practices. Requires all federal agency contracts to include requirements for information security. Establishes a Federal Chief Technology Officer position to advise the President and agency officials on significant developments and trends in information technology and best-in-class technologies. Grants the Secretary of Homeland Security primary authority for the protection of the critical information infrastructure. 5. Cyber Security Enhancement Act of 2011 (H.R. 2096). (Introduced 06/02/11 by Reps. McCaul and Lipinski and referred to the Committee on Science, Space and Technology. No further action.) An act amending the Cyber Security Research and Development Act (15 U.S.C. 7401) in order to advance cyber security research, development and technical standards by requiring that the National Science and Technology council, with the assistance of the National Coordination Office, develop -7-

8 within twelve (12) months of the Act s passage a strategic plan based on an overall assessment of cyber security risk to guide the overall direction of federal cyber security and information assurance R&D for information technology and networking systems. Once every three (3) years after the initial strategic plan is transmitted to Congress, said agencies shall update the plan. The strategic plan will be required to (1) specify near-, mid- and long-term research objectives; (2) focus on innovative, transformational technologies to enhance the digital infrastructure; (3) foster new cyber technologies and applications, including the dissemination of best practices; (4) establish a national research infrastructure for creating, testing and evaluating next generation secure networking and IT systems; (5) facilitate access by academic researchers to the infrastructure and to data; and (6) engage females and minorities in fostering a more diverse cyber workforce. The plan must also include an implementation roadmap (1) specifying the role or each Federal agency in implementation; (2) the amount and source of required funding to implement each major research objective; and (3) estimates of funding required for each major research objective for the following three (3) fiscal years. B. Data Privacy/Breach Response Initiatives Fully two-thirds of the cyber bills currently pending in Washing focus narrowly on setting standards for securing sensitive personal information and responding to data breaches involving such data. Around the edges of the current legislative session, however, are suggestions of newly emerging legislative themes such as, for example, a growing expressions of concern about, if not outright hostility toward, the tracking and monitoring of individual behavior and consumer preferences by internet service providers and sales outlets. Data Accountability Bills 1. BEST PRACTICES Act (Building Effective Strategies to Promote Responsibility, Accountability, Choice Transparency, Innovation, Consumer Expectations and Safeguards Act)(H.R. 611). (Introduced 02/10/11 by Rep. Bobby L. Rush, IL. Referred 02/18/11 to House Subcommittee on Commerce, Manufacturing and Trade. No further action.) This bill addresses the growing concern over the collection, storage and commercial use by internet service providers of sensitive individual information, often without transparent notice. The bill constrains the commercial conduct of covered entities, defined as persons engaged in commerce that collect or store date containing covered/sensitive information (excluding (1) governments; (2) persons storing covered information from or about fewer than 15,000 individuals); -8-

9 (3) persons collecting covered information from or about fewer than 10,000 individuals during any 12-month period); and (4) persons who do not use covered information to monitor or analyze the behavior of individuals as the person s primary business. The bill would require covered entities to make available to individuals whose information it collects or maintains information the details of its privacy practices and an individual s options with regard to such practices, including (1) the covered entity s identity; (2) a description of the purpose for and potential for information disclosure; (3) the individual s means to access the information, limit its collection, use and disclosure, and submit questions or complaints regarding the covered entities practices. The bill also prohibits covered entities from (1) collecting, using or disclosing information except in easy-to-understand notices consistent with FTC regulations; (2) collecting or using information without the individual s consent (either affirmative or failure to decline to consent); and (3) disclosing information to a third party without affirmative consent. Covered entities are required in addition to assure information accuracy, security, integrity and confidentiality and to provide individuals with information access and dispute resolution procedures. The bill creates certain exemptions for covered entities participating in one of the FTC s self-regulatory programs (Choice Program), and provides for FTC, state and private rights of enforcement. 2. The Commercial Privacy Bill of Rights Act of 2011 (S. 799). (Introduced 04/12/11 by Sen. John F. Kerry, MA. Read twice and referred 04/12/11 to Senate Committee on Commerce, Science and Technology. No further action.) This bill would require the FTC to initiate various rulemakings to further secure covered information, defined as (1) personally identifiable information; (2) unique identifier information; and (3) any information collected, used or stored is such manner as may reasonably be used to identify a specific individual. One rulemaking would proscribe the security measures to be carried out by covered entities collecting, using, transferring or storing certain personal information of 5,000 or more individuals in any 12-month period. A second rulemaking would proscribe the notification, consent, inaccuracy correction, deidentification and stop use rights of individuals whose data has been collected. The bill also limits information collection to restricted purposes for which it is reasonably necessary, sets out specific contract provisions required to use a service provider or to transfer personal information to a third party, and provides for FTC and attorneys general enforcement (but no private right of action), civil penalties and safe harbor programs. -9-

10 3. Data Accountability and Trust Act (H.R. 1707). (Related Bill S. 1207). (Introduced 05/04/11 by Rep. Bobby L. Rush, IL. Referred 05/06/11 to House Subcommittee on Commerce, Manufacturing and Trade. No further action.) A second bill directed to the FTC which prescribes largely the same requirements as those detailed in DATA 2011 below, except also (1) requires that the FTC be notified of information security breaches (including method and timeliness requirements); (2) exempts from notification requirements situations where the information broker determines there is no reasonable risk of identity theft, fraud or other unlawful conduct; and (3) preempts all state information security laws. 4. Data Accountability and Trust Act (DATA) of 2011 (H.R. 1841). (Introduced 05/11/11 by Rep. Cliff Stearns, FL. Referred 05/13/11 to House Subcommittee on Commerce, Manufacturing and Trade. No further action.) A third bill directed to the FTC, this one requiring the agency to promulgate regulations requiring persons engaged in interstate commerce who own or possess electronic data containing personal information to (1) establish security policies and procedures, (2) submit those policies to the FTC in connection with a breach or on FTC request; (3) establish procedures to verify the accuracy of information identifying individuals; (4) establish procedures permitting individuals whose personal information has been collected to request access, review and correct inaccurate information; (5) establish measures permitting the auditing or retracing of access to or transmission of electronic personal information; and (6) not obtain or disclose information through pretexting. The bill also authorizes the FTC to proscribe a standard method(s) for destroying obsolete nonelectronic data and for notifying the FTC of security breaches, including special notification requirements for contractors maintaining or processing personal information, breaches involving telecommunications and computer services, and health information. Data Breach Notification Bills A principle theme underlying the 2011 crop of data privacy and cyber security legislative initiatives is the need to create a uniform national standard for when to require notice to individuals of a breach of their sensitive, personal information. Among the issues defining the debate is disagreement as to the risk of harm trigger for imposing the burden of notice on government and business entities collecting such information. Specifically, triggers that include a reasonable belief of breach or a showing of no significant risk of harm from a breach are being debated as setting too low a threshold and thus likely to result in -10-

11 over-notification of individuals and a subsequent desensitization of the public to the importance of such notices. The competing standard that has been voiced is significant risk of harm arising from the identity theft. Bills Pending Before the Senate Judiciary Committee 5. Personal Data Privacy and Security Act of 2011 (S. 1151). (Related Bill S. 1535). (Introduced 06/07/11 by Sen. Patrick J. Leahy, VT. Read twice and referred to the Senate Judiciary Committee (Leahy Chair). Hearing held by the Judiciary Committee 09/07/11. Business meeting of the Judiciary Committee to consider S.1151 held on 09/15/11. Two amendments to the bill were adopted and four held over. Consideration ongoing.) This bill aims squarely at preventing and mitigating identity theft, ensuring privacy, providing notice of security breaches and enhancing criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent and misuse of personally identifiable information. Specifically, the bill amends the federal criminal code to (1) make fraud in connection with unauthorized access of personally identifiable information (electronic or digital) a predicate for racketeering charges; (2) prohibit concealment of security breaches involving sensitive personally identifiable information; and (3) set penalties for attempts and conspiracies to commit fraud in connection with computers. In addition, the bill establishes standards for developing and implementing safeguards to protect sensitive personal information, imposes civil penalties for violating such standards, and proposes a national breach notification standard requiring that notifications be given to (1) individuals whose data has been compromised; (2) all nationwide consumer reporting agencies if more than 5,000 individuals require notification; and (3) the United States Secret Service and the FBI if more than 10,000 individuals are affected. The bill authorizes the Attorney General and state attorneys general to bring civil actions against violators of the Act and requires the GSA, in awarding contracts of $500,000 or more, to take into account the data privacy and security capabilities and track record of a data broker. Further, the bill requires federal information security programs to evaluate and audit the practices of their contractors or other business entities supporting their systems or operations involving personally identifiable information and to address discovered deficiencies. It also requires federal agencies to conduct privacy impact assessments before buying personally identifiable information from any data broker. Finally, this bill requires data brokers (that is business entities that collect, transmit or provide access to sensitive personally identifiable information on more than 5,000 individuals who are not customers or employees of that -11-

12 business in order to give the information to non-affiliated third parties on an interstate basis) to (1) disclose to individuals the personal electronic records maintained for disclosure to third parties; (2) disclose adverse actions by third parties as to the individuals; and (3) maintain procedures for correcting inaccurate or incomplete records. At an executive business meeting held on September 15, 2011, the Senate Judiciary Committee approved two amendments to this bill, one "common sense" amendment clarifying that the definition of "exceeds authorized access" in the Computer Fraud and Abuse Act does not include violations of internet terms of service agreements or non-government employment agreements restricting computer access and the second making a variety of technical changes to the CFAA amendment. 5 The bill was held over for further consideration, with four additional proposed amendments still pending. 6. Data Breach Notification Act of 2011 (S. 1408). (Related Bills S and S. 1535). (Introduced 07/22/11 by Sen. Diane Feinstein, CA. Referred to the Senate Judiciary Committee. Hearing held by the Judiciary Committee 09/07/11. Business meeting of the Judiciary Committee to consider S held on 09/15/11. Consideration ongoing.) This bill is Senator Feinstein s fifth attempt since 2003 to secure passage of a federal breach notification bill. The Senator s most recent data breach initiative would require Federal agencies, and persons engaged in interstate commerce, in possession of data containing sensitive, personally identifiable information, to disclose any breach of such information. Committee on the Judiciary Notice of Hearing. The bill requires federal agencies and business entities engaged in interstate commerce that use, access or collect sensitive, personally identifiable information to notify United States residents whose information may have been accessed or acquired and the owner or licensee of any such information (if not the agency or business itself). Exempted from the notification requirement are breaches implicating national security or law enforcement issues, breaches certified by the Secret Service as having no significant risk of harm, and business entities utilizing security programs that block personally identifiable information and provide notice of breach. The act also requires that certain specified breaches be reported to 5 The CFAA is a recent focus of arch criticisms in view of the Justice Department s efforts to expand the meaning of exceeds authorized access to include violations and breaches of terms of use policies and to make such violations felonies. -12-

13 the Secret Service, FBI, Postal Inspection Service and state attorneys general. This bill would also amend the Fair Credit Reporting Act (FCRA) to require consumer reporting agencies to include a fraud alert in the file of a consumer that submits evidence of compromised financial information. Civil enforcement actions for violations would lie with both the United States and state attorneys general. 7. Personal Data Protection and Breach Accountability Act of 2011 (S. 1535). (Related Bills S and S. 1408). (Introduced 09/08/11 by Sen. Richard Blumenthal, CT. Read twice and referred to the Senate Judiciary Committee. Business meeting of the Judiciary Committee to consider S held on 09/15/11. Consideration ongoing.) Senator Blumenthal s bill would also preempt the existing breach notification laws in 46 states and the District of Columbia and create a uniform national data breach notification standard. The Blumenthal standard would require federal agencies and businesses to provide notice to individuals, without any unreasonable delay after discovery, if the breach presents a significant risk of harm or fraud to any individual. The bill also specifies the form of notice to include a writing, e- mail, by telephone, by posting a public notice on the breached entity s website, or (in the event of breaches affecting 5,000 or more individuals) by posting notice in major media outlets. Notice must also be given in the event of breaches impacting 5,000 or more individuals, a federal database or national security to the Secret Service and the FBI. Remedies for individuals would include free credit monitoring services for two years and the right to bring civil lawsuits for up to $20 million in damages, including punitives. The United States and state attorneys general would be authorized to enforce the data security and breach notification requirements of the bill. The bill would also charge the United States attorney general with establishing a post-breach technical analysis clearinghouse so that covered entitled can share information to assist in mitigating against future breaches. Additional provisions in this wide-ranging bill would (1) require the GSA to impose data security requirements on government contracts of more than $500,000; (2) require all federal agencies to audit the safeguards of their contractors; (3) bar ISPs from using personal information willfully to bypass a user s search engine results to redirect them to another website for economic gain; (4) ban the installation of spyware and key-logging software without consent; (5) criminalize the intentional concealment of a data breach that causes economic harm or substantial emotional distress personal to even one person; and (6) criminalize the sending of a breach notification in an attempt to defraud. -13-

14 Bills Pending Before the Senate Commerce Committee 8. Data Security and Breach Notification Act of 2011 (S. 1207). (Related Bill S. 1434). (Introduced 06/15/11 by Sen. John D. Rockefeller, W.Va., Commerce Committee Chair, and Sen. Mark Pryor, D. Ark., Insurance Subcommittee Chair. Read twice and referred to the Senate Committee on Commerce, Science and Transportation.) This bill is Sens. Rockefeller s and Pryor s second attempt in as many years to secure passage of a bill authorizing the FTC to set national data breach security standards and issue regulations requiring certain businesses to notify individuals in the event of a breach of their electronic personal information. This bill also proposes to preempt the 47 state and District of Columbia breach notice laws and contains a risk of harm trigger, relieving covered entities from having to provide notice if, after investigation, there is no reasonable risk of identity theft, fraud or other unlawful conduct stemming from the compromise of electronic records. The bill also empowers the FTC to post information on its website about reported breaches if in the public interest and to enforce the breach notification provisions, including by imposing up to $5MM total damages ($11,000 per person) per single breach incident for failures of notice. Covered entities would also have to give two years of free credit monitoring. The bill singles out for attention data brokers, which would be required to submit their data security policies to the FTC for approval, improve their processes for allowing individuals to access and correct their personal information, and bar them from seeking personal information through false pretenses. State attorneys general, but not individuals, would enforce the law. 9. Data Security Act of 2011 (S. 1434). (Related Bills S and S. 1408). (Introduced 07/28/11 by Sen. Thomas R. Carper, CT. Read twice and referred to the Senate Committee on Banking, Housing and Urban Affairs.) Senator Carper s fourth attempt since 2006 to secure passage of this bill (modeled after the data security provisions of Gramm-Leach-Bliley) requiring federal agencies and businesses to adopt measures to implement information security safeguards (principally for personal financial information) and investigate security breaches, and mandating breach notification requirements. This bill too would preempt state data security laws. Unique features of this bill include an exemption from notification requirements if the protected information is maintained in a form not usable to commit identity theft or to make fraudulent transactions, or is sent in encrypted, redacted, coded or some other masked form. The bill also contains a risk of harm threshold, requiring notification only if an -14-

15 investigation of a breach demonstrates that the purloined information is likely to be misused in a manner causing substantial harm or inconvenience, measured in terms of material financial loss. Enforcement of this law would be by the FTC. 10. SAFE Data Act (Secure and Fortify Electronic Data Act) (H.R. 2577). (Introduced 07/18/11 by Rep. Bono Mack. Referred to the House Energy and Commerce Committee. No further action.) This bill aims to protect consumers by requiring the promulgation of reasonable security policies and procedures to protect data containing personal information and to provide nationwide notice in the event of a security breach. The bill would require all persons engaged in interstate commerce that own or possess data containing personal information related to the commercial activity, including information brokers, to establish such policies and procedures within one (1) year of the bill s passage. Such policies and procedures must include, in addition to rules regarding the collection, use, sale, other dissemination and maintenance of the information, vulnerability assessment systems, preventive and corrective action requirements, and processes for disposing such information. The bill would also require that businesses minimize the amount of such data maintained. Intermediate and transient storage service providers would be exempted from the bills requirements. Enforcement would be by the FTC and state attorneys general, with the financial penalties echoing those of the Data Security and Breach Notification Act of