- A recently proposed bill calls for a single national data breach notification standard, which would replace the existing state notification laws and “clarify and strengthen” organizations’ reporting obligations.
Rhode Island Congressman Jim Langevin reintroduced the Personal Data Notification and Protection Act in September 2017, in the wake of the large-scale Equifax data breach.
In that situation, consumers were not immediately notified whether they were potentially affected, Langevin said in a statement. There must be clear communication on such matters, which is why his legislation is necessary to face the current cybersecurity threats.
“This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” Langevin stated. “Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure.”
Individual notification must take place within 30 days, according to the bill. The Federal Trade Commission (FTC) would also help coordinate the notification process.
A written notification through the mail, telephone notification, or email notification are all acceptable ways for individuals to be told about a potential data breach, the bill states.
“If the number of residents of a State whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000, notification is provided to media reasonably calculated to reach such individuals, such as major media outlets serving a State or jurisdiction,” the bill reads.
HITECH Act defined covered entities and business associates are excluded from the Act, or “business entities to the extent that they act as vendors of personal health records.”
The following is considered “personally identifiable information,” where it would require notification be made should the data be compromised:
- An individual’s first and last name or first initial and last name in combination with any two of the following data points: Home address or telephone number, mother’s maiden name, date of birth
- Social Security number, driver’s license number, passport number, or alien registration number or other Government-issued unique identification number
- Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation
- A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code.
An organization that conducts a risk assessment and “concludes that there is no reasonable risk that a security breach” would lead to harm, or did harm, to individuals whose information was involved may qualify for Safe Harbor, according to the bill.
There has previously been opposition to federal data breach notification processes that would preempt state law.
The National Association of Attorneys General (NAAG) wrote a letter to Congress in 2015 that stressed the need for states need to have the ability to enact and enforce state breach notification. Oftentimes, state laws have more protections that federal ones, the group maintained.
“In recent years, a number of states have reexamined and updated their data breach notification laws to ensure they continue to protect the sensitive information about consumers being collected,” NAAG said. “Some states now include notification requirements for compromised biometric data, login credentials for online accounts, and medical information.”
The changes reflect how data collection has increased over the past decade, and show a response to consumer concern over that increase.
State attorneys general have also seen cases where unsecured networks lead to consumers’ information being compromised, the group stated. Federal legislation must allow states to continue to enact and enforce the necessary protections.
“While such notification at the federal level may work for large breaches that affect consumers nationwide, it does not work for breaches that affect one state or one region,” NAAG explained. “Many breaches are significant, but not nationwide in their scope. A better solution to the problem is for state attorneys general to also be given timely notification of breaches, as many state laws already require.”