On September 22, 2011, the Senate Judiciary Committee approved three separate bills that would establish a national data breach notification standard. Because the bills were approved on a party-line vote, and several other data breach bills currently are under consideration by other Senate committees, the prospects for these three bills in the full Senate are uncertain.
The Personal Data Privacy and Security Act of 2011 (the “Leahy Bill”), sponsored by Senator Patrick Leahy (D-VT), would require companies to implement a comprehensive data privacy and security program to protect sensitive personally identifiable information, and notify affected individuals in the event of a security breach. The Leahy Bill also contains provisions that would amend the Computer Fraud and Abuse Act to bar claims for unauthorized access to a protected computer if the claim is based solely on the defendant’s violation of a contractual obligation, such as an acceptable use policy or terms of service agreement. Read our prior coverage of the Leahy Bill.
The Data Breach Notification Act of 2011 (the “Feinstein Bill”), is the fifth such bill introduced by Senator Dianne Feinstein (D-CA). It is the most concise of the three bills approved by the Committee, and is limited exclusively to data breach notification. Notably, the Feinstein Bill would provide a safe harbor exemption from its notification requirement if a company conducts a risk assessment and is able to demonstrate to the Federal Trade Commission that there is no significant risk of harm to individuals affected by a security breach.
The Personal Data Protection and Breach Accountability Act of 2011 (the “Blumenthal Bill”) is the broadest in scope. The breach notification provisions in the Blumenthal Bill go far beyond the requirements of any similar state law or proposed federal law. In the event of a security breach, companies would be required to provide individuals (1) written notice by either postal mail or email (unless the individual has opted out of being notified by email), and (2) telephone notice to the individual personally. If more than 5,000 individuals are affected, the entity also would have to provide public notice via major media outlets and electronic notice via all reasonable means of electronic contact between the business and affected individuals (such as the company’s website). In addition, the Blumenthal Bill contains provisions that would prohibit entities from attempting to “monitor, manipulate, aggregate, and market the data collected in the process of intercepting a web search or query entered by an authorized user of a protected computer.”