You may need to squint to see it, but amid all the legislative fireworks over healthcare and financial regulation, Congress is also finally taking some substantive steps to overhaul the country’s tangled mess of data privacy laws.
As 2009 drew to a close, the House passed a bill that would set a federal standard for when corporations must disclose privacy breaches and require them to adopt measures to secure customers’ personal information. The Senate is also mulling legislation that would impose a federal breach notification standard and require companies to adopt information security measures.
If approved—and to be sure, approval is still far from certain—a federal privacy law would prompt the compliance and IT security communities to burst into song. Companies currently face a thicket of state laws passed in recent years to guard consumer privacy, plus numerous industry standards set by regulatory agencies; a uniform federal standard would pre-empt all that and, in theory, streamline compliance efforts.
Sotto
“A federal law requiring breach notification would be a relief to companies that currently need to comply with 48 breach notification laws in various U.S. jurisdictions,” says Lisa Sotto, a partner in the law firm Hunton & Williams.
Still, a federal privacy law isn’t a foregone conclusion. Several previous efforts to pass a federal breach notification law have failed, and critics argue that any federal law should not weaken stronger consumer protections state laws might provide. But observers say momentum has been building for passing federal regulation, driven by increasing concerns about identity theft and financial fraud.
Forsheit
“It could happen this year,” says Tanya Forsheit, a founder of the Information Law Group. “There's a greater focus on consumer privacy issues than we’ve had in years past. Especially with the growth of social networking, it’s more in the front of people’s minds.”
Lawmakers are currently considering at least three bills related to notification of privacy breaches. Two of those three would also impose data security requirements.
On Dec. 8 the House approved HR 2221, the Data Accountability and Trust Act, which would direct the Federal Trade Commission to write rules requiring any organization that possess electronic data containing personal information to adopt security policies and procedures to protect that data and would provide for nationwide notice in the event of a breach.
And in November, the Senate Judiciary Committee approved two bills: S. 139, the Data Breach Notification Act, introduced by Sen. Dianne Feinstein; and S. 1490, the Personal Data Privacy and Security Act, introduced by Sen. Patrick Leahy. Feinstein’s bill would require breach notification and authorize the Justice Department to bring a civil action against businesses that violate the law. The Leahy bill would also implement a federal breach notification requirement, as well as toughen punishment for identity theft and other privacy violations, and require businesses to create a data privacy and security program to prevent breaches.
Both bills now await votes by the full Senate.
The Fine Print
Helmer
The idea of a federal privacy law does have wide support in Washington, but previous legislative efforts have generally derailed over arguments about how stringent the standard should be and how broadly it should apply. Even now, lawmakers would still need to agree on how to define the personal information protected under a federal rule. For example, the House bill’s definition of personal information is in step with that adopted by most states, but the Senate bills define personal information more broadly, says Gabriel Helmer, co-chair of the security and privacy group at the law firm Foley Hoag.
“There’s a greater focus on consumer privacy issues than we’ve had in years past. Especially with the growth of social networking, it’s more in the front of people’s minds.”
—Tanya Forsheit,
Co-founder,
Information Law Group
And while the House legislation would apply to all companies, Helmer notes that the Leahy bill would apply only to companies that have information on 10,000 or more clients or customers.
Compared to some state laws, Helmer says the information security requirements in the House bill “aren't particularly onerous”—although the legislation would require the secure disposal of personal information, which few states currently require. The House measure would generally give companies 60 days to alert customers to a breach, which is more stringent than what most states have.
The House legislation would also require companies to provide free credit monitoring and free credit reports for a specified period for customers affected by a breach. Many companies already do that, Helmer says, but “it hasn’t been a statutory requirement, and that can be expensive if there’s a large breach.”
Another potential conflict is disagreement over exactly when a notification would be necessary. Under the House bill, for example, companies would not need to notify customers or the FTC of a breach if there is no reasonable risk of harm from the breach. That is a lower threshold than the law in numerous states, which require reporting regardless of risk.
McCreary
2221 REQUIREMENTS
Below is an excerpt from HR 2221, listing the requirements for information security if the bill becomes law:
General Security Policies and Procedures
(1) REGULATIONS: Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information, or contracts to have any third party entity maintain such data for such person, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration:
The size of, and the nature, scope, and complexity of the activities engaged in by, such person;
The current state of the art in administrative, technical, and physical safeguards for protecting such information; and
The cost of implementing such safeguards.
(2) REQUIREMENTS: Such regulations shall require the policies and procedures to include the following:
A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information.
The identification of an officer or other individual as the point of contact with responsibility for the management of information security.
A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system maintained by such person that contains such electronic data, which shall include regular monitoring for a breach of security of such system.
A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph C (above), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.
A process for disposing of obsolete data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or undecipherable.
Source
Text of Congressional Act HR2221
Mark McCreary, a partner in the law firm Fox Rothschild, doesn’t expect the House bill to gain much traction. McCreary says the proposed House measure is problematic because it’s less stringent than some states’ laws, and its triggers for notification are unclear.
“Like the long line of dead bills that have tried to do something similar in the past, I don’t think it stands much of a chance,” he says. “Under many [situations], if a company asks the question, `Do we have to comply with this?' it’s hard to say yes or no.”
Meanwhile, more states are passing detailed data security regulations anyway, regardless of what Congress may or may not do. Among the most stringent are those adopted by Massachusetts, which are currently slated to take effect March 1, 2010.
The Massachusetts regulations require companies to take steps to secure the personal information of state residents, in some cases by encrypting laptops and portable devices. The law applies to any company that maintains personal information about a Massachusetts resident, regardless of where the company is based.
The Massachusetts regulation (formally known as 201 CMR 17) originally struck fear in many compliance and IT departments for its exacting standards, but state regulators have repeatedly stalled the implementation date and clarified the language of the rule to ease the compliance burden.
Nevada also has a new privacy law that went into effect on Jan. 1., which requires the encryption of personal information in certain circumstances and mandates businesses that accept payment cards to comply with the Payment Card Industry Data Security Standard. PCI standards are already common in the retail world anyway, since Visa and Mastercard require companies that accept their credit cards to follow PCI security.
Observers say the trend toward encryption requirements could significantly affect some companies. While encryption “has been a best practice, in a lot of circumstances, it hasn’t been the law,” Forsheit says.
Helmer says companies should adopt information security policies and practices whether or not a federal mandate passes this year. “They not only face threats to customer information, they also face threats to their own information and systems,” he says. “The threats have never been greater.”
No comments yet