Senate Introduces Bills to Protect Your Personal Data
This year has seen data breach after data breach on unprecedented levels–Yahoo, Uber, Equifax, and more. We’ve seen multiple breaches in one year which have each broken previous records set for sheer size of a breach. This has to serious concerns about privacy as people scramble to secure their online information and protect against credit card fraud through credit freezes and the like. Congress has responded to this heightened concern with two recent bills on the topic known as the Consumer Privacy Protection Act of 2017 and the Data Security and Breach Notification Act.
These two acts, taken together, represent a substantial step forward in terms of data protection requirements on corporations. The Consumer Privacy Protection Act focuses on improving the data security required by larger companies, almost certainly a direct reaction to the Equifax breach and, to a smaller degree, the Uber breach. This is especially true given how lackluster Equifax’s security was, drawing substantial criticism in the wake of their breach. Uber outright had administrators publish code including private usernames and passwords to the software repository website Github.
The Data Security and Breach Notification Act deals more with requiring faster and more thorough reporting of a substantial data breaches. This is likely a response to the Yahoo and, once again, Uber breach. Yahoo kept a breach of then-record-breaking size–around 500M people affected–from the public for years. Uber didn’t report it’s breach for at least a year after it became aware of the security issue. We are seeing continuously larger and more dangerous data breaches, and Congress finally is acting on this. Let’s a look at these two acts and the steps they take to protect your data and your privacy.
The Consumer Privacy Protection Act of 2017
To put it simply if a company holds data on 10,000 or more U.S. citizens they are required under this act to put into place a comprehensive privacy and data security program that is scaled appropriately to the size of the company, the nature of their business (for example a company holding more crucial information such as bank records or social security numbers would require more security than one that did not), the amount of information they hold, and what they do with that information.
The legislation specifically targets personally identifiable information for protection. This is a common legal phrase, although its definition varies depending on where you are. However, it can thought of as information that could be used to link you to data. This is an important distinction as it does not require the same protections for things like metadata.
Under the act, there are a number of categories of data that are specifically highlighted for protection requirements: driver’s license numbers, social security numbers, passport numbers, financial account numbers, debit card or credit card numbers when in combination with a PIN or security code, online usernames and passwords, fingerprints, retina or iris scans, physical and mental health data, private digital photographs and videos, and geolocation data. Under the act a security a breach occurs when there is a reasonable basis to believe compromised security or privacy of data has resulted in unauthorized access or acquisition of sensitive personally identifiable information (often abbreviated as PII) such as the things listed above.
The act will require these security policies to be implemented as quickly as possible and require notification of the discovery without unreasonable delay. Where a breach occurs, the law requires the breached company to give five years of free identity theft prevention services to those affected to anybody who asks for it. It also forbids automatic enrollment in such services without specific consent, so it will be more important for you to make the effort to ensure you get such services if the law passes. The bill does not allow for you to sue under it, but includes fines from the FTC for reported violations. The penalties start at $16,500 and scale up based on the size of a breach. This is fairly small based on the sheer scope of some of these breaches, but remember they are a minimum.
The Data Security and Breach Notification Act
We’ve seen that the Consumer Privacy Protection Act has some elements requiring swift reporting. However, the recent Data Security and Breach Notification Act takes this even further. It has some similar elements, requiring heightened security measures. However, if passed, it would also require nationwide notice if a security breach occurs.
The bill will require the Federal Trade Commission (FTC) to take steps to provide in depth requirements for security policies within a year of the act passing. These requirements would be fairly in depth, covering how data can be collected, used, sold, disseminated and maintained, the appointment of a specific data security and management officer, a process for finding, monitoring, and dealing with security weaknesses, a process for quickly addressing any weaknesses, a process for disposing of data in a permanent, irretrievable form, and destruction of paper forms.
The notification requirements of the act would require quick notification–within 30 days of learning of the beach–of all those who reasonably could be believed to have been affected by the breach nationwide. It also generally requires notification to the FTC. These are pretty standard in most data breach reporting statutes around the nation, however there are a few additional elements that expand reporting requirements beyond the norm. First, where there is a breach of security of a system maintained by a third party contractor, the third party security company must notify the company contracting it who must then follow the usual reporting requirements. The second big change is that any breach affecting over 5,000 people will have to coordinate with the major credit reporting agencies in providing through notifications. Concealing a breach can lead to up to five years in prison.
There are a few exceptions, if the Secret Service of the FBI thinks notification would impede a criminal investigation or impact national security they may act to delay the normal notifications via a written communication to the company that would normally need to disclose the breach. This exception doesn’t seem to have a limitation on duration, the FBI or Secret service just have to say how long they want the delay to be.
There is also no reporting requirement under this act where the breached company “reasonably concludes” that there is no reasonable risk of identity theft, fraud, or other unlawful conduct based on the breach. The act also creates a presumption that such a risk doesn’t exist if the security measures render the breached data unusable, unreadable, or indecipherable and this fact is generally accepted by data security experts. This is a rebuttable presumption, if there are facts to the contrary reporting may still be required and penalties levied against those who fail to do so.
Protecting Your Data is Incredibly Important
You should take steps on your own to make sure your data is secure. However, the information age requires sharing of an unprecedented amount of private information online. The last few years have seen data breach after data breach breaking records for the largest of all time. Several of the breaches in just the last two years have affected more people than the entire population of the U.S. These laws are necessary and hopefully they’ll be passed soon. However, even these laws may not go far enough.
They expand federal data breach protections to the level of many state statutes. However, their exceptions may leave many companies credibly arguing that they delayed reporting breaches based on a belief nobody was really in danger. At the very least, requiring thorough security is a good first step. Hopefully, it is a first step of many.