With a New Administration in Power, Will It Become a Reality?
Legal Intelligencer
By James E. Kurack, Jr.

Given the current recession and mortgage crisis, it is difficult to imagine the new president and Congressional leadership focusing on anything besides the economy. Nevertheless, the record number of data breaches exposing the personal information of individuals in the past year will force the new administration to make data security one of the focal points of its anticipated push of consumer protection laws.

While many commentators have discussed the increase in regulation we will see in the insurance and banking industries, I believe businesses can also expect to see more regulation in the area of data security and privacy. These regulations could include new legislation requiring immediate disclosure of data security breaches and minimum requirements for the protection of personal information, such as Social Security numbers. The new president's anticipated consumer protection agenda may also include broader enforcement powers for the Federal Trade Commission to allow for more thorough investigations of data security breaches.

Although more than 40 states have some type of data breach notification law that requires businesses to notify residents of their state when their personal information has been compromised, there is currently no federal data breach notification law. The 110th Congress introduced four separate bills in the area of data privacy last year. Congress, however, failed to pass any of these bills.

As expected, the new Congressional leadership has quickly reintroduced very similar legislation, presumably due to the increasing number of data security breaches as well as the president's promise to make cyber security a priority.

On Jan. 6, Sen. Dianne Feinstein, D-Calif., introduced two data security bills: the Data Breach Notification Act and Protecting the Privacy of Social Security Numbers Act. These bills are similar to the legislation sponsored in the 110th Congress.

The Data Breach Notification Act (S. 139) seeks to establish a national data security breach notification law. The bill would require any business or federal agency engaged in interstate commerce that uses, accesses, transmits or collects sensitive personally identifiable information to notify any resident of the United States of a data security breach if their personal information "has been or is reasonably believed to have been accessed or acquired."

"Sensitive personally identifiable information" includes an individual's first name or initial and last name together with:

• Any one of the following: their Social Security number, driver's license, passport or alien registration numbers; or
• Any two of the following: home address and telephone number, mother's maiden name (if identified as such); unique biometric measurements or a unique account identified (such as an ATM password).

The bill allows businesses to notify affected individuals by letter, telephone or e-mail. Written notification must be provided to the last known address of the affected individual. E-mail notification is only permitted when an individual has consented to receive such notification by e-mail.

According to the proposed bill, the contents of the notification must include the following:

• A description of the categories of sensitive personally identifiable information acquired by an unauthorized person;
• A toll-free number that the individual may use to contact the agency or business entity to learn what types of personal information the agency or entity maintained; and
• Toll-free telephone numbers and addresses for the major credit reporting agencies.

Significantly, the bill requires businesses and agencies suffering a data breach to notify third parties. If the data security breach affects over 5,000 individuals in a particular state, the bill requires that the business or agency suffering the data security breach notify the major media outlet of that state.

Businesses or agencies are also required to notify consumer credit reporting agencies when the breach affects more than 5,000 individuals.

In the event the data security breach affects over 10,000 individuals, businesses or agencies must notify the U.S. Secret Service "as promptly as possible, but not later than 14 days after discovery of the events requiring notice." Business and agencies must also notify the attorney general of each state affected by the data security breach.

The bill requires notification "without unreasonable delay" following discovery of the data security breach. "Reasonable delay" includes the time necessary to investigate the scope of the data breach, prevent further disclosure and provide notice to law enforcement authorities.

S. 139 contains limited exceptions to the notification requirement. One exception is triggered where a company's "risk assessment concludes that there is no significant risk that a security breach has resulted in, or will result in, harm to the individual whose sensitive personally identifiable information was subject to the security breach." A business or agency seeking this exemption must notify the Secret Service of the written results of its risk assessment within 45 days after the security breach.

The bill presumes that there is no significant risk of harm when the sensitive personally identifiable information has been encrypted. This exception, however, does not apply when the data breach involves a credit card number along with an individual's first and last name. Another exception is triggered when notification of a data security breach may impede a law enforcement investigation. A third exception is triggered when disclosure may cause damage to national security.

The bill provides for enforcement by the U.S. Attorney General. Businesses and agencies that violate this proposed law could be subject to a civil penalty of $1000 per day per individual.

The Protecting the Privacy of Social Security Numbers Act (S. 124) seeks to prevent identity theft by limiting the use of Social Security numbers. The bill would ban the sale or display of an individual's Social Security number without "the affirmatively expressed consent of the individual." According to the bill, the term "display" means to "intentionally communicate or otherwise make available (on the Internet or in any manner) to the general public an individual's Social Security number."

In order to obtain consent under the proposed bill, businesses must inform the individual of the following:

• The purpose for which their Social Security number will be used;
• The type of persons to whom their Social Security number will be made available; and
• The scope of the transaction permitted by the consent.

The individual's consent must be affirmatively expressed (either electronically or in writing).

This proposed bill contains exceptions for those instances in which the display, sale or purchase of Social Security numbers is required by federal law. Other exceptions include circumstances in which the display, sale or purchase of Social Security numbers is necessary for the protection of the public health, national security, the investigation of fraud and the facilitation of certain credit checks.

The bill also limits the circumstances in which businesses may request a customer give his or her Social Security number during the purchase of a "commercial good."

Under the proposed bill, businesses can only make such a request in the following circumstances:

• When obtaining a consumer report for any purpose permitted under the Fair Credit Reporting Act;
• When a background check of the individual is conducted by a landlord, lessor, employer, voluntary service agency, or other entity as determined by the attorney general;
• When a law enforcement agency requires it;
• When federal, state or local law requires it; or
• When the Social Security number is necessary to verify the identity of the consumer to effect, administer or enforce the specific transaction requested or authorized by the consumer or to prevent fraud.

As in previous years, I expect we will see a competing data security bill introduced in the U.S. House of Representatives. Last year, the Data Accountability and Trust Act (H.R. 958) was introduced in the House, which set forth similar minimum data breach notification and content requirements as the recently proposed Senate bill. The bill also contained similar exceptions to notification.

Unlike the Senate bill, H.R. 958 authorized the Federal Trade Commission to establish regulations requiring each business engaged in interstate commerce that owns or possesses electronic data containing personal information to establish and implement information security policies and procedures for the protection of personal identifiable information. The bill also required any business suffering a data security breach to notify the FTC.

At least a dozen privacy and consumer groups have already met with President Obama's transition team to discuss the FTC's role in protecting consumer privacy. President Obama has already promised to enlarge the budget and enforcement powers of the FTC.

The FTC's increased oversight powers will likely lead to more civil penalties and monetary fines for statutory violations. As a result, businesses should expect an end to the era of self-regulation in the area of privacy and data security.

Given the rapid increase in data security breaches, the new Congressional leadership will undoubtedly conduct hearings and continue to debate legislation on data security in the upcoming Congressional term. Now that almost every state has some type of data security breach notification law, the passage of a federal data breach notification law is uncertain. Certainly, the passage of stringent data security breach laws in Nevada and Massachusetts, requiring mandatory encryption, makes federal pre-emption in this area unlikely.

However, if the new president continues to support national standards for securing the personal information of individuals, Congress may finally pass a federal data breach notification law.

Even if Congress does not pass a federal data breach notification law, I expect that the new president will increase the budget and oversight powers of the Federal Trade Commission to allow for more investigations into high profile data security breaches. As a result, I expect we will see the FTC become more active in investigating the causes of data security breaches.

Increased oversight will also likely result in increased civil penalties for businesses that do not adequately protect the private information of third parties. Consequently, the failure of a business to implement the appropriate policies to protect the personal information of its customers, employees and business partners could have more drastic consequences in the next few years.

James E. Kurack Jr. is a senior associate with the law firm of Obermayer Rebmann Maxwell & Hippel. He focuses his practice on representing businesses and individuals with respect to privacy and data security issues. Kurack maintains a blog dedicated to privacy and data security issues affecting Pennsylvania businesses at paprivacyanddatasecurity.blogspot.com . He can be reached at 215-665-3169 or james.kurack@obermayer.com

This article is reprinted with permission from the February 2, 2009, issue of The Legal Intelligencer. © 2009 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

The information contained in this publication should not be construed as legal advice, is not a substitute for legal counsel, and should not be relied on as such. For legal advice or answers to specific questions, please contact one of our attorneys.