Data Breach Notification Bill - Enactment of National Standard will Impact Businesses Big and Small

From Venulex.com

On July 21, the "Financial Data Protection Act" (H.R. 3997) was reported out of the House Financial Services Committee. If passed, this Act would impose a business-friendly, national standard for the protection of private consumer data and for the notification of consumers in the event of a data breach. Although the House leadership sought a quick floor vote on the bill, fierce opposition by consumer groups forced the vote to be rescheduled until after the Summer recess.

Both industry and consumer groups recognize the need for such a national standard and have been lobbying hard for data breach legislation. Industry groups are pushing H.R. 3997 because it would enact a manageable, national standard that would alleviate the compliance cost of meeting the different terms of 26 state statutes. Consumer groups, on the other hand, are opposing H.R. 3997 because, in their view, it would water-down the current "de facto" national standard driven by industry's need to comply with the most stringent of the existing state laws. These groups instead support the "Data Accountability and Trust Act" (H.R. 4127) and seek to bring it to a vote.

As the below comparison indicates, H.R. 3997 would be a boon to business and would greatly reduce data breach security and compliance costs.

Lower Notification Standards. H.R. 3997 requires individuals to be notified when the security of the personal information (e.g., their social security number, date of birth, financial account number, etc.) has been breached but only if the information is "reasonably likely" to be misused in a manner causing harm or inconvenience to any consumer to whom the information relates. If the company does not know whether there is such a risk, then it does not have to notify the consumer. This makes it weaker than many state laws, which mandate notification on breach.

H.R. 4127, on the other hand, requires notification, except when the company finds that there is no reasonable risk of harm.

Security Freeze. Nearly 20 states have enacted "security freeze" legislation, which allows a consumer to freeze or lock their credit file against anyone seeking to open a new account or get credit in their name. H.R. 3997 would preempt those laws with a weaker freeze, which allows a consumer to request a freeze after he or she has been a victim of identity theft. H.R. 4127 leaves the security freeze issue to the states, effectively ensuring the trend of enacting security¬-freeze laws continues.

Access and Correction of Data Broker Files. H.R. 3997 has no provision for consumers to either access or dispute the contents of a data broker's file, while H.R. 4127 has both.

Information Security Safeguards. Both H.R. 3997 and 4127 require that companies holding specific types of data about individuals must have a security policy. But H.R. 3997 specifically and broadly preempts all state laws that deal with protecting the confidentiality of consumer information and safeguarding it from potential misuse.

Preemption. This is the hot button area with consumer groups. States have truly lead the way legislating in the identity-theft space, enacting strong breach¬-notice, security freeze, and other laws. A preemptive Federal law could either strengthen these protections nationwide, or pull them down to a less stringent level.

A full preemption law, H.R. 3997 would preempt all state laws that (i) protect the security or confidentiality of information from potential misuse, (ii) require investigation or notice of a security breach, (iii) require any mitigation of loss from such a breach, or (iv) allow consumers to place security freezes on their credit files.

Enforcement. H.R. 3997 would be enforceable only by the Federal government, while H.R. 4127 allows state attorneys general or other agencies to also take enforcement action.

With an estimated 55 million Americans at risk due to data breaches this year alone, the Congress is under tremendous pressure to take some action, and it is likely that either of these bills might become law by year's end.

From Venulex.com

Copyright © Greenberg Traurig LLP. VenuLex resources are intended for informational purposes only and should not be construed as legal advice.

On July 21, the "Financial Data Protection Act" (H.R. 3997) was reported out of the House Financial Services Committee. If passed, this Act would impose a business-friendly, national standard for the protection of private consumer data and for the notification of consumers in the event of a data breach.