Senate Commerce Committee Approves Data Breach Notification Bill

April 25, 2007.  The Senate Commerce Committee (SCC) approved S 1178, the "Identity Theft Prevention Act of 2007". See, SCC release. This is a data breach notification bill.

Sen. Daniel Inouye (D-HI), the Chairman of the SCC, introduced this bill on April 20, 2007. Sen. Ted Stevens (R-AK), the ranking Republican on the SCC, Sen. Mark Pryor (D-AR), and Sen. Gordon Smith (R-OR) are the original cosponsors.

The bill requires covered entities (any person or entity with certain data that might facilitate identity theft or fraud) to engage in certain data security practices. It also mandates and regulates the disclosure of security breaches to the Federal Trade Commission (FTC), consumer reporting agencies, and affected individuals. It also empowers consumers to place freezes with consumer credit reporting agencies (CCRAs), subject to numerous exceptions.

The bill preempts state law, with an exception for certain state laws that impose security freezes on consumer credit reporting agencies. It gives rule making authority to the FTC. It gives civil enforcement authority to the FTC and state attorneys general. It does not create a private right of action.

Sen. Inouye stated in a release that "The ID Theft Prevention bill provides the consumer a real defense from identity theft. Consumers will be awarded the long-awaited power to limit the use of their social security numbers and place a credit freeze on their accounts."

Sen. Stevens stated in a release that "Studies of identity theft show that Alaskans are particularly susceptible to this criminal activity. It is time for Congress to act. We must take steps to help people protect themselves. I urge the Senate to take up this bill, which has received broad bipartisan support, and pass it quickly."

Security Measures. Section 2 of the bill contains the security measures mandate.

It provides that "A covered entity shall develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards -- (1) to ensure the security and confidentiality of such data; (2) to protect against any anticipated threats or hazards to the security or integrity of such data; and (3) to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual."

The bill gives the FTC rulemaking authority with respect to Section 2. It provides that "A covered entity that is in full compliance with the requirements of the Commission's rules on Standards for Safeguarding Customer Information and Disposal of Consumer Report Information and Records is deemed to be in compliance ...".

It also requires the FTC to write regulations "that require procedures for authenticating the credentials of any third party to which sensitive personal information is to be transferred or sold by a covered entity".

However, the bill prevents the FTC from imposing technology mandates. "Nothing in this Act shall be construed to permit the Commission to issue regulations that require or impose a specific technology, product, technological standards, or solution." (See, Section 7.)

Security Breach Disclosure. Section 3 of the bill contains the security breach disclosure mandate.

The bill creates two categories of breaches, those affecting 1,000 or more individuals, and those affecting fewer than 1,000 individuals. For the larger breaches, the bill provides that the entity shall report any "breach of security" to the FTC and "notify all consumer reporting agencies".

Also, "If a covered entity discovers a breach of security that affects the sensitive personal information of fewer than 1,000 individuals and determines that the breach of security does not create a reasonable risk of identity theft, it shall report the breach to the" FTC. It also provides that if the entity "cannot make a determination as to whether the breach of security creates a reasonable risk of identity theft, it may request guidance from the" FTC, which must respond within five business days.

This section also requires notification to affected individuals, if certain conditions are present. It provides that "A covered entity shall use due diligence to investigate any suspected breach of security affecting sensitive personal information maintained by that covered entity. If, after the exercise of such due diligence, the covered entity discovers a breach of security and determines that the breach of security creates a reasonable risk of identity theft, the covered entity shall notify each such individual."

Also, the requirement to notify affected individuals only applies to an entity "which has a direct relationship with the parties whose information was subject to the breach".

Moreover, this section provides that "Unless there is an agreement to the contrary, the entity providing the notice shall be compensated for the cost of the notice".

This section also addresses the manner of notification, content of notification, timing of notification, and law enforcement and national security delays of notification. The bill give rulemaking authority to the FTC.

ISP and Carrier Exemption. There is an exemption to both the Section 2 and Section 3 mandates for certain stored electronic communications and intercepts of electronic communications.

The bill provides that a "electronic communication of a third party stored by a cable operator, information service, or telecommunications carrier in the network of such operator, service or carrier in the course of transferring or transmitting such communication."

Security Freezes. Section 4 of the bill provides that "A consumer may place a security freeze on the consumer's credit report by making a request to a consumer credit reporting agency in writing, by telephone, or through a secure electronic connection".

This Section does not require that the consumer represent that he may be a victim of identity theft or a security breach. However, this section also includes numerous exceptions (addressed below) which would limit a consumer's ability to use security freezes for most purposes unrelated to identity theft and security breaches.

Then, it provides that "If a security freeze is in place on a consumer's credit report, a consumer credit reporting agency may not release the credit report for consumer credit review purposes to a third party without prior express authorization from the consumer."

However, the consumer credit reporting agency (CCRA) may still advise third parties that "a security freeze is in effect with respect to the consumer's credit report".

The bill mandates that "The placement of a security freeze on a credit report may not be taken into account for any purpose in determining the credit score of the consumer to whom the account relates", and that CCRAs may not represent to consumers that it will affect scores.

However, notwithstanding such a freeze, the bill contains exceptions to the freeze for numerous categories of third parties, including any federal, state or local government entity engaged in law enforcement, tax collection, child support collection, or investigation of medicare or medicaid fraud.

The bill also provides an exception for court orders, including any "private collection agency acting pursuant to a court order, warrant, subpoena, or other compulsory process".

The bill also includes a broad exemption for any entity to which a consumer has a financial obligation, including a wide variety of agents, debt collectors, and prospective assignees, "for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument".

Key Definitions. Section 11 contains definitions. The bill affects any "covered entity". The definitions contained in the bill provide that this means practically anything, including an individual. It states that the term means "a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity, and any charitable, educational, or nonprofit organization, that acquires, maintains, or utilizes sensitive personal information".

In turn, the bill provides that the term "sensitive personal information" includes a person's name and social security or employer identification number, a username and password that would enable an online financial transaction, and other types of data that might facilitate identity theft of fraud.

The term "breach of security" is defined as "unauthorized access to and acquisition of data in any form or format containing sensitive personal information that compromises the security or confidentiality of such information".

Enforcement. The bill provides, at Section 8, for enforcement by the FTC, other federal financial services regulators (in matters involving their regulated entities), and state attorneys general.

For FTC enforcement, violations shall be "treated as an unfair or deceptive act or practice proscribed under a rule issued under section 18(a)(1)(B) of the Federal Trade Commission Act".

The bill creates no criminal liability. The bill creates no private right of action.

Preemption of State Law. Section 10 of this bill would preempt "any State or local law, regulation, or rule that requires a covered entity to notify individuals of breaches of security pertaining to them" and "any State or local law, regulation, or rule that requires a covered entity to develop, implement, maintain, or enforce information security programs to which this Act applies".

However, the bill would also exempt from preemption certain state laws imposing security freezes on consumer credit reporting agencies. It would exempt "any statute, regulation, order, or interpretation in effect in any State with regards to consumer credit reporting agencies compliance with a consumer's request to place, remove, or temporarily suspend the prohibition on the release by a credit reporting agency of information from its files on that consumer, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this Act, and then only to the extent of the inconsistency." The also elaborates on the meaning of inconsistency.

Other Provisions. The bill would also create an Information Security and Consumer Privacy Advisory Committee, require a study by the FTC, and authorize appropriations.

The bill includes a schedule of effective dates, but no sunset dates.