The Data Security and Breach Notification Act of 2015

Advertisement

Jackson Lewis P.C.

On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is identified as the “Data Security and Breach Notification Act of 2015.”

Advertisement

The overview of the draft provides that “Data breaches are a growing problem as e-commerce evolves and Americans spend more of their time and conduct more of their activities online. Technology has empowered consumers to purchase goods and services on demand, but it has also empowered criminals to target businesses and steal a host of personal data. This costs consumers tens of billions of dollars each year, imposes all kinds of hassles, and can have a lasting impact on their credit.”  Like many existing state laws, the proposal would require companies to secure the personal data they collect and maintain about consumers and to provide notice to individuals in the event of a breach of security involving personal information.

The draft legislation contains several key provisions:

Advertisement

  • Companies would be required to implement and maintain reasonable security measures and practices to protect and secure personal information;

    Advertisement

  • The definition of personal information is more expansive than most state breach notification laws, including home address, telephone number, mother’s maiden name, and date of birth as data elements;

  • Companies are not required to provide notice if there is no reasonable risk of identity theft, economic loss, economic harm, or financial harm;

  • Companies would be required to provide notice to affected individuals within 30 days after discovery of a breach;

    Advertisement

  • The law would preempt all state data breach notification laws;

  • Enforcement would be by the Federal Trade Commission (FTC) or state attorneys general; and

    Advertisement

  • No private right of action would be permitted.

The measure must now be formally introduced in the House of Representatives before further action can be taken.  Notably, similar measures introduced in the past in an effort to nationalize data breach response have all failed.  However, given the number of individuals affected by, or likely to be affected by, a data breach and the fact identity theft has topped the FTC’s ranking of consumer complaints for the 15th consecutive year, support for a national data breach notification law has never been stronger.

Advertisement
ARTICLE BY

Jason C. Gavejian
Jackson Lewis P.C.
Workplace Privacy Blog

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.