The White House wants a national data security standard. Several days after first announcing the initiative, President Obama released draft language to try to achieve it.

“The Personal Data Notification & Protection Act” would apply to most survey, opinion and marketing research companies, organizations and departments. It would cover any for-profit company or non-profit organization “engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.”

(UPDATE: Senator Bill Nelson, as promised, has since introduced the President's draft as S. 177, and Rep. Jim Langevin (D-RI-02) introduced it as H.R. 1704.)

Security breach notification
Any covered entity discovering a security breach would have to “notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.”

Such notice would have to be given “without unreasonable delay” following discovery. “Reasonable delay” can’t exceed 30 days, unless federal law enforcement or national security authorities say otherwise. However, if an entity suffering a breach seeks additional time, and can demonstrate to the FTC “that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, and provide notice to an entity designated by the Secretary of Homeland Security to receive reports and information about information security incidents, threats, and vulnerabilities when required,” then the FTC “ may extend the time period for notification for additional periods of up to 30 days each.”

Safe harbor and exemption
Entities could gain a “safe harbor” exempting them from having to provide breach notification if a risk assessment determines “there is no reasonable risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.”

Similarly, if the data was “was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field of information security,” the entity could presume “that no reasonable risk exists.”

Should an entity claim a safe harbor, they would have to inform the FTC within 30 days of “the results of the risk assessment” and their “decision to invoke the risk assessment exemption.”

Of course, should you fail to “conduct the risk assessment in a reasonable manner or according to standards generally accepted by experts in the field of information security,” or submit “fraudulent or deliberately misleading information” and you’ll be in violation of the Act.

State preemption
The Act would preempt all conflicting state data security laws, although it would allow states to require additional information in the breach notices to consumers.

Key definitions
The Act defines “security breach” as “a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in – (A) the unauthorized acquisition of sensitive personally identifiable information; or (B) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.” Law enforcement or intelligence services activities would not qualify as a breach.

The Act defines “sensitive personally identifiable information” as “any information or compilation of information, in electronic or digital form that includes — (1) an individual’s first and last name or first initial and last name in combination with any two of the following data elements: (A) home address or telephone number; (B) Mother’s maiden name; (C) month, day, and year of birth; (2) a non-truncated social security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number; (3) unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation; (4) a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; ( 5 ) a user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account; or ( 6 ) any combination of the following data elements: (A) an individual’s first and last name or first initial and last name; (B) a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; or (C) any security code, access code, or password, or source code that could be used to generate such codes or passwords.”

The FTC would explicitly be given extraordinary rulemaking authority (Administrative Procedures Act, section 553 of title 5, U.S. Code) to redefine sensitive personally identifiable information to include just about anything the agency so chooses.

The FTC would enforce violations of this legislation as unfair or deceptive practices (and thus as violations of Section 5 of the FTC Act).

State Attorneys General could also bring civil suits for violations of the Act, with “ civil penalties of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation unless such conduct is found to be willful or intentional.”

Entities would not be subject to the Act “to the extent that they act as covered entities and business associates” or “vendors of personal health records and third party service providers” under HIPAA and are already subject to the data security requirements of that healthcare data privacy law.

MRA’s position on the Personal Data Notification & Protection Act
There are some positive aspects we appreciate finding in President Obama’s draft bill, such as:

  • the lack of data broker regulations, which have been included in a number of data security proposals in the past
  • the inclusion of both for-profit and not-for-profit companies, since data breaches do not recognize the difference;
  • a national standard preempting the many conflicting state data security breach notification laws;
  • no authorization for private rights of action (unlike Senator Richard Blumenthal’s Personal Data Protection and Breach Accountability Act);
  • a safe harbor for when an affected entity runs an appropriate risk assessment and finds no risk of harm; and
  • a presumption that “unusable, unreadable, or indecipherable” data (i.e., encrypted or deidentified) poses no risk if breached.

However, there are plenty of issues with this draft legislation that concern us as well, such as giving state Attorneys General authority to enforce the law (although that is common to many such bills) and setting a 30 day time limit for breach notification (instead of the standard “reasonable amount of time,” which provides more flexibility when necessary).

The two biggest problems with the Act are the definition of sensitive personally identifiable information and the FTC’s extraordinary authority to dramatically expand that definition.

The definition itself is mostly standard stuff, focusing on the kinds of information most susceptible to criminal abuse and identity theft. However, partially thanks to the precedent set by California S.B. 46, Obama’s draft includes online account access information (like usernames and passwords). While that could pose a privacy concern, unless that online account contains other data that would qualify as sensitive personally identifiable information, access to that account should not be considered a data security concern.

The even bigger problem posed by the Act is the FTC’s extraordinary rulemaking authority to redefine sensitive personally identifiable information, authority specifically denied to the regulatory agency because of abuses in the 1970’s. FTC staff and commissioners have stated on numerous occasions that they consider most types of data to be ultimately personally identifiable. For instance, during Q&A in a House Commerce Manufacturing and Technology Subcommittee hearing on June 15, 2011, FTC Commissioner Efith Ramirez indicated that the FTC would most likely use that authority to expand the definition far beyond Congress’ intentions, saying, “I think that the touchstone here is information that can be uniquely tied to an individual ... broader than the definition that is currently used.”

The definition should rightfully be set by Congress, not an unelected regulatory body, and set in a limited fashion. That is why we helped pass an amendment to data security legislation in 2011 (the SAFE Data Act) to specifically restrict the FTC’s regulatory authority to expand that definition.

So the President’s data security draft is certainly a mixed bag, with a few key problems we’ve encountered before.

Senator Bill Nelson (D-FL), ranking member on the Senate Commerce Committee says he will be introducing legislation based on the President’s draft, and chairman John Thune (R-SD) has said positive things about the proposal, at least in vague concept.

Could 2015-2016 be the Congress that gets a data security bill passed into law? Perhaps. MRA will work to ensure that the best version possible comes to fruition.