FTC Offers Comments on Draft Data Security and Breach Notification Act of 2015

On March 18, 2015, the FTC provided feedback to Congress concerning the draft Data Security and Breach Notification Act of 2015 (the “Act”).  Currently, data breaches are not regulated on the federal level and while the majority of states have adopted legislation governing data breaches, the standards are not uniform.  The Discussion Draft of the Act sets forth two purposes: (a) to establish uniform national data security and breach notification standards for electronic data; and (b) expressly preempt any related state laws.

In a nutshell, the Discussion Draft of the Act requires that covered entities implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access, taking into account the size and complexity of the covered entity.  The term covered entities is more expansive than financial institutions, but generally covers those entities within the FTC's general jurisdiction.  Specifically it covers any entity that “acquires, maintains, stores, sells, or otherwise uses data in electronic form that includes personal information”, including common carriers and nonprofit organizations. The draft Act provides for notification of any breach unless “there is no reasonable risk” that the breach will result in identity theft, economic loss or harm, or financial fraud to the consumer.  The Discussion Draft of the Act also establishes a threshold for notifying the consumer reporting agencies, requiring such notification if more than 10,000 individuals are affected.  The Discussion Draft of the Act further sets forth the timing, contents, and manner of delivery of breach notifications.  The Discussion Draft of the Act also provides for civil penalties and allows enforcement by both the FTC and state attorney generals.  No private right of action is provided. 

The FTC’s position as to the Discussion Draft was presented by FTC Consumer Protection Director Jessica Rich and provided general support for the legislation.  Before specifically addressing the provisions of the draft Act, Rich gave a brief overview of the Commission’s current data security program, highlighting its current legislative authority, enforcement actions and policy initiatives.  Summarizing the FTC’s enforcement philosophy, “the Commission has made it clear that it does not require perfect security; that reasonable and appropriate security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; and that the mere fact that a breach occurred does not mean that a company has violated the law.”

Speaking directly as to the Discussion Draft, the FTC expressed concerns that the Discussion Draft did not go far enough as to the following:

• The definition of personal information.  The FTC pointed out that it does not cover certain information covered by some state laws, specifically, precise geolocation and health data.  The FTC pointed out that the misuse or access to such information can provide both physical and financial harm to consumers. 
• The bill does not address the entire “data ecosystem,” specifically internet enabled devices.  The FTC used as an example pace makers and automobiles and the fact that interception of that information could be harmful to consumers.
• The bill does not include rulemaking authority under the APA.  The FTC pointed out that technology is advancing at such a rapid rate, that rulemaking authority is necessary to ensure the proposed Act remains relevant and addresses these technological advances.
• When notice is required.  The FTC also raised some concerns with the threshold requirements as to when notice of a breach is required, suggesting “an approach that requires notice unless a company can establish that there is no reasonable likelihood of economic, physical or other substantial harm. (emphasis supplied).

The FTC’s Prepared Statement can be found here:  FTC Prepared Statement

The Discussion Draft of the Data Security and Breach Notification Act of 2015 can be found here: Discussion Draft of H.R. ___, Data Security and Breach Notification Act of 2015