Although the legislation has not yet been formally introduced, sponsors, Representative Blaine Luetkemeyer (R-Missouri) and Representative Carolyn Maloney (D-New York), released a draft of the “Data Acquisition and Technology Accountability and Security Act” for public consideration on February 16, 2018. This draft bill would establish a federal security and breach notification regime enforced by the Federal Trade Commission and state attorneys general.
The draft bill would apply to “covered entities,” which are defined as “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.” In addition to requiring covered entities to develop, implement, and maintain security safeguards appropriate to the particular entity’s size, activities, and the sensitivity of the personal information maintained, the draft bill sets forth a federal standard for data breach response. Notably, the draft bill would require that a covered entity conduct a preliminary investigation and determine whether there has been an unauthorized acquisition of personal information and whether there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.” If this standard is met, a covered entity would be required to notify certain government agencies, such as the Secret Service or the FBI, and other agencies, such as payment card networks and consumer reporting agencies (depending on the type of breach), but only in the event the breach involves the personal information of 5,000 or more consumers. Furthermore, a covered entity’s obligation to notify affected consumers is triggered only if the covered entity determines that “there is a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer . . . .” Notice to relevant agencies and affected consumers must be provided “immediately” and “without unreasonable delay.” Finally, the draft bill exempts insurers and expressly preempts state data security and breach notification laws. As further described below, this proposed breach response regime is much less stringent in comparison to existing state breach notification laws.
On March 19, 2018, a coalition of 32 attorneys general, led by Illinois Attorney General Lisa Madigan, wrote a letter to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit in opposition to the current language of the proposed bill. The attorneys general referred to themselves as the “chief consumer protection officials” in their states and urged Congress to not preempt state data security and breach notification laws. The letter highlighted that the draft bill “totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.” Additionally, the letter referenced the draft bill’s exemption to state enforcement rights for financial institutions, stating that the draft bill “appears to place Equifax and other consumer reporting agencies and financial institutions out of states’ enforcement reach.” The attorneys general also took issue with the draft bill’s proposal to allow “entities suffering breaches to determine whether to notify consumers of a breach based on their own judgment of whether there is ‘a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer . . . .” They argued that this provision would “result in less transparency to consumers” and permits entities to notify consumers “after the harm already has occurred,” hindering consumers’ ability to take proactive steps to protect themselves from identity theft. Finally, the attorneys general emphasized that “data breaches come in all sizes” and that the draft bill “fails to acknowledge this fact by only addressing large, national breaches affecting 5,000 or more consumers . . . .”
Entities in all states should be on the lookout for potential data breach notification legislation on the federal level. If the draft bill were to pass in its current form, entities would be required to revise their existing data breach response policies to address the bill’s preemption of existing, more stringent state breach notification laws. This would result in a more streamlined approach to data breach response and a significant decrease in the number of required breach notifications. We will be monitoring this issue closely and will keep our readers up-to-date on the status of any federal breach notification bills.