The President proposed this data security legislation in his State of the Union address.

Aspects of the draft bill that MRA supports:

  • the lack of data broker regulations, which have been included in many past data security proposals;
  • the inclusion of both for-profit and not-for-profit companies;
  • a national standard preempting the many conflicting state data security breach notification laws;
  • a safe harbor for when an affected entity runs an appropriate risk assessment and finds no risk of harm;
  • no authorization for private rights of action (unlike Sen. Blumenthal’s S. 1995 in 2014); and
  • a presumption that “unusable, unreadable, or indecipherable” data (i.e., encrypted or deidentified) poses no actionable risk.

Concern #1: Online account access information shouldn’t be included
The proposed definition of “sensitive personally identifiable information” includes online account access information (e.g., usernames/passwords), which don’t necessarily pose a security threat unless they provide access to truly sensitive personally identifiable information. Such types of data and combinations are not broadly recognized as posing a threat of criminal abuse. Beyond that common standard lies a slippery slope where most every piece of data could be included.

Concern #2: Don’t empower the FTC to radically expand the definition of sensitive personally identifiable information
Giving the Federal Trade Commission (FTC) APA rulemaking authority to alter the definition of sensitive personally identifiable information would be a grave mistake. The agency would undoubtedly expand the definition radically. As FTC Commissioner Ramirez[1] and others at the FTC have said, the agency considers almost any piece of data to ultimately be personally identifiable.

The data covered by this bill is best determined by Congress, not an unelected and unaccountable regulatory body. Proponents for more FTC bureaucracy and control have not clearly identified the harms necessitating this expansion of power. Moreover, such radical expansion would result in more uncertainty for American employers, including survey and opinion research organizations, whose livelihood depends on the legitimate and accurate collection and analysis of information provided by consumers. The FTC would still be able to modify the definition using its regular Magnuson-Moss rule-making authority and we feel that should be sufficient to grapple with any major modifications to the definition that might be necessary over time.

Concern #3: Don’t set an arbitrarily brief timetable for data breach notification
The requirement to notify within 30 days of data breach discovery will be too short for some modern data breach investigations, which is why laws usually require a “reasonable amount of time.” HIPAA has a 60 day limit.


[1] For example, at an Energy & Commerce CMT Subcommittee hearing on July 15, 2011: “I think that the touchstone here is information that can be uniquely tied to an individual... broader than the definition that is currently used in the draft bill.”

pdf of MRA's position paper on President Obama's Personal Data Notification & Protection Act