In early June, a slew of new bills began circulating in Congress that, if enacted, would impose uniform national data security and data breach notification requirements on entities that collect sensitive personal information. Prompted in large part by recent data breach media coverage, including historic breaches at Sony and Epsilon
, there has been a flood congressional activity on data security. On June 7, 2011, Sen. Patrick Leahy (D-VT) introduced the Personal Data Privacy and Security Act (S. 1151)
, which was followed on June 15, 2011 by Sen. Mark Pryor's (D-AR) and Sen. Jay Rockefeller's (D-WV) Data Security and Breach Notification Act (S. 1207)
. The Leahy bill was referred to the Senate Judiciary Committee while the Pryor-Rockefeller bill was referred to the Senate Commerce Committee. Also on June 15, 2011, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing on Rep. Mary Bono Mack's (R-CA) Secure and Fortify Electronic Data Act (SAFE Data Act) Discussion Draft
, which has yet to be formally introduced but is very similar to the Pryor-Rockefeller bill.
Common Themes Among the Three Bills
Most significantly, all three bills would require entities that collect and use sensitive personal information to: (1) implement data security policies with specific baseline requirements; and (2) comply with a uniform national data breach notification standard that would supersede the current patchwork of state data breach notification laws. All three bills also impose special requirements on data brokers to provide consumers with access to personal data and the ability to correct any discrepancies in the data maintained by the broker. Under the proposed legislation, the Federal Trade Commission (FTC) would take the lead in promulgating rules and guidance to further the goals of the bills and, in addition to state attorneys general, have enforcement authority.
Civil and Criminal Penalties
All three bills impose steep civil and penalties for violations. The Leahy bill also includes criminal penalties. Civil and criminal penalties under the Leahy bill include:
- For data brokers that violate consumer access and correction provisions, civil penalties are $1,000 per violation, per day, capped at $250,000 per violation (double for intentional violations);
- Failure to maintain a security policy could subject entities to $5,000 per violation, per day, capped at $500,000 per violation (double for intentional violations);
- Failure to notify consumers of breaches could result in civil penalties up to $1,000 per violation, per day, capped at $1 million per violation, unless the violation was willful;
- Criminal penalties for intentional concealment from consumers of a data breach that requires notice, subjecting violators to fines and imprisonment of up to five years.
Although the Pryor-Rockefeller bill and Bono Mack draft do not impose criminal penalties like the Leahy bill does, the bills include steeper civil penalties than the Leahy bill, including:
- Failure to implement data security procedures could result in civil penalties up to $11,000 per day, per violation, capped at $5 million for each violation;
- Failure to notify consumers of a data breach could result in civil penalties of up to $11,000 per day, per violation, however this penalty is capped at $5 million for all violations resulting from a single breach.
These bills add to the growing list of legislation addressing broader data security concerns, including Rep. Cliff Stearns' (R-FL) and Jim Matheson's (D-UT) Data Accountability and Trust Act (DATA act) and Rep. Bobby Rush's (D-IL) Data Accountability and Trust Act (DATA Act). Additionally, in April 2011 the Obama Administration weighed in on data security with the National Strategy for Trusted Identities in Cyberspace, which calls for enhanced data security and privacy protection and a national data breach notification law. The data security agenda complements the furry of activity on the consumer privacy-front, notably Senators John Kerry's (D-MA) and John McCain's (R-AZ) Commercial Privacy Bill of Rights Act of 2011. While it is unclear if legislation will pass this term, privacy and data security issues continue to gain momentum in Congress. What is clear is that companies need to exercise due diligence in their data security and privacy practices or potentially subject themselves to unwanted litigation, Congressional pressure and regulation - not to mention negative media coverage.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
Kelley Drye's Government Relations and Public Policy Practice Group helps clients interpret and shape governing laws, enabling them to achieve and maintain market leadership. The varied backgrounds of its government relations lawyers and professionals enable the team to handle a variety of clients needs including representation and strategic planning.
For more information about this advisory, contact:
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik
Christopher M. Loeffler