• Data Security Breaches -- Congress and State Legislatures Propose a Myriad of Protective Legislation
  • March 2, 2007 | Authors: Janet P. Peyton; Stephen Gold; Kenneth K. Dort
  • Law Firms: McGuireWoods LLP - Richmond Office ; McGuireWoods LLP - Chicago Office
  • In the past, companies have viewed data security breaches as a customer relations issue -- to be handled by the company internally, and often without any notice to the consumers whose data might have been lost or improperly disclosed. In light of recent high profile breaches, however, data security legislation is now the “it” topic among state and federal legislators. Six new state laws requiring notification to consumers of data security breaches went into effect in January 2007 alone (in Arizona, Hawaii, New Hampshire, Utah, Vermont and Maine). In addition, Michigan Governor Jennifer Granholm signed yet another data security breach notification law in January, which will take effect in July 2007. These measures add to the patchwork of state laws around the country, requiring varying levels of notification depending upon the type of breach. This wide array of state laws is creating a significant incentive for standardization at the federal level, and there is a great deal of pending federal legislation which will likely preempt these state laws.

    One of the most significant pending proposals at the federal level is the Notification of Risk to Personal Data Act of 2007 (S. 239). The bill, re-introduced in 2007 by Sen. Dianne Feinstein (D-California) would require not only notification of a data security breach to the affected individuals themselves, but also to (i) credit agencies for breaches affecting more than 1,000 individuals, (ii) the media, for breaches affecting more than 5,000 individuals, and (iii) the U.S. Secret Service, for breaches affecting more than 10,000 individuals.

    In the House of Representatives, a proposal by Rep. Lamar Smith (R-Texas) would criminalize the intentional withholding of information about major security breaches. His bill, the Cyber-Security Enhancement and Consumer Data Protection Act (introduced last year as H.R. 5318), would provide for up to five years in prison for knowingly failing to provide notice to either the FBI or the Secret Service regarding a major security breach, with the intent to prevent, obstruct, or impede a lawful investigation of such breach. “Major security breach” is defined as a breach that impacts 10,000 or more individuals or any security breach of the databases of the federal government.

    These are just a sample of the numerous bills pending in Congress. Companies that maintain databases of personally identifiable information and/or enter into contracts relating to management of data should be ready for the advent of federal regulation in the area of data security breaches. Contracts for services involving data should commit the vendors (whether data center providers, IT consultants, application service providers, or others who will have the potential for involvement in a data security breach) to comply with changing requirements (not just existing ones), to cooperate in remediation following any breach, and to cover or share the costs of such compliance.