On June 13, 2011, Representative Mary Bono Mack (R-CA) released a discussion draft of the Secure and Fortify Data Act (the “SAFE Data Act”), which is designed to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.” Representative Bono Mack is Chairman of the House Subcommittee on Commerce, Manufacturing and Trade. In a press release, Representative Bono Mack remarked that “E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it – and that starts with robust cyber security.” She added that “consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”
The legislation would apply to persons engaged in interstate commerce that own or possess data containing personal information related to that commercial activity, including information brokers and third parties contracted to maintain data on the person’s behalf. Under the SAFE Data Act, the term “personal information” means an individual’s first name or initial and last name, address or phone number, in combination with any one or more of the following: (1) Social Security number, (2) driver’s license number, passport number, military ID or similar number, or (3) financial account number, or credit or debit card number, and any required security code, access code or password that is necessary to permit access to individual’s financial account. The SAFE Data Act grants the FTC the authority to modify the definition of personal information to the extent necessary to effectuate the Act’s purposes.
In brief, the bill features two key elements:
- Data Security Requirements. The bill instructs the Federal Trade Commission to promulgate regulations that require persons to establish and implement information security policies and procedures regarding the treatment and protection of personal information. The SAFE Data Act exempts from this requirement entities subject to the Gramm-Leach-Bliley Act and HIPAA, as well as certain service providers.
- Breach Notification Requirements. In the event of a breach, which the SAFE Data Act defines as “any unauthorized access to or acquisition of data in electronic form containing personal information,” a person must: (1) notify law enforcement within 48 hours of discovery unless the breach involves the inadvertent access or acquisition of data by the person’s employee or agent and (2) assess the nature and scope of the breach and take mitigating steps to prevent further disclosure. If the person determines, based on the assessment, that the breach presents a “reasonable risk of identity theft, fraud, or other unlawful conduct,” within 48 hours the person must notify the FTC and begin to notify affected individuals “as promptly as possible.” Similar to various state breach laws, the SAFE Data Act specifies acceptable methods for notifying individuals and content requirements, and mandates the provision of free consumer credit reports and credit monitoring in certain instances. Entities that comply with certain other federal laws with breach notification requirements would be deemed in compliance with the notification requirements of the SAFE Data Act.
Violations of the legislation would constitute unfair or deceptive acts or practices enforceable under the FTC Act and may result in civil penalties. While state attorneys general also may bring civil actions on behalf of their residents, there is no private right of action. With respect to state privacy laws, the SAFE Data Act would supersede any provision of a state statute, regulation or rule that expressly requires similar information security practices and breach notification to individuals.