Broadband Internet Service Providers In Regulatory Limbo After Repeal of FCC Privacy and Data Security Rules

data security privacy FCC cybersecurityPotentially signaling the end of the short-lived stint by the Federal Communication Commission (“FCC”) to regulate consumer data privacy on the internet, the Trump Administration recently repealed Obama-era data privacy and security rules for broadband providers.  The action, passed by Congress and signed by President Trump pursuant to the Congressional Review Act, completely rescinds the rules that would have gone into effect later this year.  While the move has been welcomed by industry insiders, it leaves broadband providers in regulatory limbo as the Trump Administration seeks to determine which agency and what rules will oversee data protection in this sector going forward.

The FCC’s Privacy Order and Its Repeal

In November 2016, the FCC released comprehensive consumer privacy and data security rules (the “2016 Privacy Order”) for broadband internet access service (“BIAS”) providers.1  BIAS providers offer consumers high-speed, continuous access to the internet, typically through cable, telephone, wireless, or fiber-optic connections.  They are different from entities such as Amazon and Facebook, which do not provide connections to the internet but rather offer internet services such as cloud storage, messaging, news, video streaming, and online shopping and are regulated, with respect to data privacy matters, by the Federal Trade Commission (“FTC”).

The 2016 Privacy Order would have, among other things, required BIAS providers to obtain affirmative customer consent (“opt-in” consent) prior to using and sharing, for commercial purposes, confidential customer data, such as a user’s web browsing history, application usage history, or geo-location information, and prohibited them from refusing to serve customers who did not provide such consent.  It also required BIAS providers to adopt “reasonable measures” to protect customer data from unauthorized disclosure, and required them to give notice to customers affected by any data breach “without unreasonable delay” but not later than 30 days after determining that a breach had occurred.

Repeal of the 2016 Privacy Order comes as a welcome development for industry groups, which vigorously opposed them both prior to and subsequent to their finalization.  In January 2017, the FCC received multiple petitions to reconsider and stay the order.2  The BIAS industry complained that some of the new rules – particularly the opt-in rule for the use of sensitive customer information – put BIAS providers at a competitive disadvantage because the rules were more restrictive than FTC rules that applied to other internet entities such as Amazon and Facebook and, further, would have required costly updates to BIAS providers’ systems.  In response, the FCC – now with a Chairman appointed by President Trump and a majority of Republican-appointed commissioners – reversed course and, on March 1, 2017, voted to stay some of the provisions of the 2016 Privacy Order that had been due to come into effect.3  Shortly thereafter, Congress and President Trump used their authority under the Congressional Review Act to completely rescind the 2016 Privacy Order.4

Is Net Neutrality Next?

To answer the question of where the Trump Administration might go from here first requires an explanation of how the FCC came to be responsible for regulating data privacy and security for BIAS providers in the first place.

Until 2015, BIAS providers, like other internet service and content providers, were not considered to be “common carriers” by the FCC and, thus, were not subject to data privacy regulation by the FCC.  Instead, for matters concerning data privacy and protection, BIAS providers looked to the FTC.  That changed in 2015, when the FCC issued the “Open Internet Order,”5 which reclassified BIAS providers as “telecommunications services” and, therefore, subjected them to common carrier regulation by the FCC under Title II of the Communications Act of 1934 (“Title II”).  Among other things, Title II requires “telecommunications services” to furnish services to customers “upon reasonable request” and prohibits “unjust and unreasonable discrimination” in the services that common carriers provide.  Title II further provides that “telecommunications services” have a duty to protect the privacy of customer data.6

This reclassification was necessary for the FCC to promote and establish, as the centerpiece of the Open Internet Order, “net neutrality” rules for BIAS Providers.  “Net neutrality” rules require BIAS providers to allow users equal access to all otherwise lawful internet websites, content, and services, without favoring or restricting access, whether the websites are owned or controlled by the service providers’ affiliates, business partners, or competitors.  For example, absent net neutrality rules, a BIAS provider might, in exchange for a fee or other consideration, agree with a video sharing website, such as YouTube, to provide its customers with faster and better access to YouTube than to a rival video sharing website, such as Vimeo.

Previous attempts by the FCC to impose net neutrality rules on BIAS providers had been rejected by the Court of Appeals for the D.C. Circuit.  Most recently, in 2014, the D.C. Circuit held that the FCC did not have the authority to impose net neutrality rules on BIAS providers because they were not subject to the common carrier rules under Title II.7  In response, the FCC reclassified BIAS providers as common carriers in its Open Internet Order.  The 2016 Privacy Order was an attempt by the FCC to further define the data privacy and protection rules that applied to BIAS providers under Title II.

The Trump Administration now seeks to return the BIAS industry to privacy oversight by the FTC, as both the current FCC and FTC Chairpersons have indicated that “jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, the nation’s expert agency with respect to these important subjects.”8  However, this is easier said than done, as it would require that the FCC revoke the Open Internet Order and its accompanying net neutrality rules.  Such a move would be favored by the BIAS industry and the new Chairman of the FCC, Ajit Pai, who regards the net neutrality rules as a “mistake,”9 but would be met by criticism from many major internet content providers and services, such as Amazon, Google, and Facebook.10

In the meantime, the FTC is without authority to regulate BIAS providers regarding data privacy, as the FTC Act contains an express exemption of FTC jurisdiction for common carriers.11  Further complicating matters is an August 2016 decision of the Court of Appeals for the Ninth Circuit, which interpreted the FTC’s common carrier exemption as including all activities of any entity designated as a common carrier, even those activities that are unrelated to the entity’s common carrier business and which otherwise might be subject to FTC jurisdiction if they were carried out by a separate entity.12  If the Ninth Circuit position were to stand and be adopted by other Circuits – the FTC is currently seeking a rehearing en banc – the FCC suddenly might find itself responsible for regulating a host of non-common carrier related business activities merely because they are provided by entities that have been designated as common carriers under Title II.

Many large BIAS providers have faced this uncertainty by pledging to take “reasonable measures to protect customer information” and notify “consumers of data breaches as appropriate” in accordance with the existing FTC data privacy framework (i.e., ensuring that their data security practices are not “unfair or deceptive” in contravention of Section 5 of the FTC Act).[13]

BIAS providers are also presently subject to a host of state laws concerning data privacy and protection, including at least 48 state data breach notification laws, the most recent of which was enacted in New Mexico.14  These laws typically require businesses to notify the state authorities, affected customers, and major credit reporting agencies when the state’s residents’ confidential personal information, such as social security or driver’s license numbers, credit card numbers, and passwords, have been exposed through a data breach.  In addition, some states, such as Massachusetts15 and California,16 also require businesses to implement and maintain reasonable security procedures and practices to protect customer information.  Finally, some states maintain consumer protection laws, which, similar to the FTC Act, generally protect against unfair or deceptive trade practices and have been used by state attorney generals to penalize companies that fail to protect customer data.17


The Trump Administration’s repeal of the 2016 Privacy Order has provided a respite for the BIAS industry from vigorous new requirements that would have gone into effect this year.  However, it also has created a period of regulatory uncertainty as regulators determine the way forward, including the fate of the Open Internet Order.  In the meantime, BIAS providers should, as they have promised, continue to follow reasonable data privacy and protection practices, consistent at least with those required by the FTC, and also carefully consider whether any other applicable federal or state data privacy laws apply to their business.

© Copyright 2017 Cadwalader, Wickersham & Taft LLP

Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report and Order, 31 FCC Rcd 13911 (2016), available at

Seee.g., Joint Petition for Stay, available at“Stay Petition”).

See Order Granting Stay Petition, available at

See S.J. Res. 34 – 115th Congress, available at

See Protecting and Promoting the Open Internet, Report and Order on Remand, Declaratory Ruling, and Order, 30 FCC Rcd 5601 (2015), available at

See 47 U.S.C. § 222(a) (“Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to . . . customers.”).

See Verizon v. F.C.C., 740 F.3d 623 (D.C. Cir. 2014).

See Joint Statement of Acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai on Protecting Americans’ Online Privacyavailable at

See Remarks of Federal Communications Commission Chairman Ajit Pai at the Mobile World Congress (February 28, 2017), available at

10 See Google, Facebook and Amazon write to FCC demanding true net neutrality, The Guardian (May 7, 2014), available at

11 See 15 U.S.C. § 45(a)(2).

12 See F.T.C. v. AT&T Mobility LLC, 835 F.3d 993 (9th Cir. 2016).  The FTC has sought rehearing en banc.

13 See Stay Petition, ISP Privacy Principles.

14 See New Mexico H.B. 15, Data Breach Notification Act (2017).

15 See Mass Gen. Laws Ann. ch. 93H, § 2.

16 See Cal. Civ. Code § 1798.81.5(b).

17 Seee.g., Press Release, A.G. Schneiderman Announces $100K Settlement with E-Retailer after Data Breach Exposes Over 25K Credit Card Numbers, N.Y. State Attorney General’s Office (Aug. 5, 2016), available at

Privacy and Data Security in the Trump Administration

data breach, privacyPrivacy and data security issues were prominent in the campaign. Allegations were even made that Russia was behind the DNC hack.

Despite it being front and center in the campaign, cybersecurity did not generate specific policies from the Trump campaign. One thing Donald Trump did promise was a top to bottom review of US cyber defense and security led by government, law enforcement, and private sector experts.  He also committed to establishing a Justice Department task force to coordinate responses to cyber attacks and a cyber review team to audit existing government IT systems.

Another area on which the President-elect spoke was the need to clamp down on the theft of US intellectual property, especially by foreign nations and competitors. Tools already exist to do that, of course: Economic Espionage Act of 1996.  Congress, which earlier this year enacted the Defend Trade Secrets Act, is likely to respond favorably to any additional resources or authorities the new administration might seek for this purpose.

Related to cyber security were Mr. Trump’s comments on encryption during Apple’s dispute with the Justice Department in the wake of the San Bernardino terrorist attack. Trump sided strongly with law enforcement, and we can expect Congress to return to the subject of encryption in the coming session.  Whether anything happens legislatively is uncertain, and some in Congress want to await the pending report of the National Academy of Science on encryption, which will remain a highly contentious issue.  Still, Candidate Trump’s comments show where he stands.  One wildcard in the debate may be how weakened is FBI Director Jim Comey, who has been leading the charge on encryption issues for law enforcement.

Also due for legislative consideration in 2017 is the renewal of section 702 surveillance authority under the FISA Amendments Act, which is due to sunset at the end of the year. Trump is likely to take a much more pro-surveillance position than either the current administration or Secretary Clinton might have taken.  Privacy advocates in both parties are likely to press for changes in the law, but at this point the odds would be against them.

Either on its own or in conjunction with the section 702 debate, Congress is likely to return to consideration of ECPA reform. The House passed the E-mail Privacy Act unanimously this Congress, but it stalled in the Senate due to privacy groups’ opposition to an amendment sought by Senator Cornyn.  The must-pass section 702 legislation is likely to provide a vehicle for e-mail privacy and related ECPA reform legislation if it does not move on its own.

Also in the mix on these issues is consideration of legislation clarifying and modernizing how domestic law enforcement accesses data across national borders. Legislation addressing that issue enjoys prominent support in Congress and may well get taken up in conjunction with ECPA reform or get lumped in with that in the context of section 702 renewal.

And the House Judiciary Committee is already moving ahead with a hearing scheduled to consider protecting geolocation data, setting up another area of dispute between law enforcement and privacy advocates.

Also in the mix legislatively will be proposals on how firms deal with data breaches and theft of information. The recently disclosed hack of Yahoo and the DNC hack have again raised the profile of data breach issues.  While there is consensus that something should be done, disagreement remains on the details, including whether a federal law should preempt state data breach laws.  There is little reason to expect that the disagreements can be bridged or that legislation will in fact move forward.

Finally and briefly, among other issues that Congress is likely to look at, though on which a legislative solution is unlikely are:

1) how to address distributed denial of service attacks, and the inter-related topic of the growth of the Internet of Things, on which several committees have already scheduled hearings in the wake of the recent significant DDOS attack. At this stage, Congress is likely to seek to continue to build its level of understanding of the issues here rather than act on anything;

2) how to address the recruitment of terrorists and the spread of violent extremism through social media; and

3) the implementation of last year’s Cybersecurity Information Sharing Act by the Department of Homeland Security.

One final point: the key players on these issues are likely to remain the same. One possible change would have Senate Judiciary ranking member Pat Leahy, just reelected, move to become ranking member of the Appropriations Committee, which could open the door for Senator Feinstein to become ranking member of the Judiciary Committee.  She would be more sympathetic to law enforcement and less aligned with the privacy advocates than Senator Leahy has been.  However, her move might allow tech-friendly Senator Mark Warner to become vice chairman of the Intelligence Committee, of which Senator Richard Burr will remain as chairman after his reelection.

© 2016 Covington & Burling LLP

Recent Studies Show Increasing Need For Employee Training in Data Security

employee trainingTwo recent studies show an increasing need for companies to better train their employees in data security to prevent data and monetary loss. On September 7, 2016, Wells Fargo Insurance released a study on cyber security showing some interesting trends in companies with $100 million or more in annual revenue. The second-annual study questioned 100 decision makers on issues of data, hackers, network vulnerabilities, and other cyber security matters. The study showed that companies were nearly twice as concerned with losing private data as they were with being hacked or having some other security breach disrupt their system.

In particular, Wells Fargo noted the surprising trend that companies are not more concerned with employee misuse of technology  (finding only 7% of companies believed that their employees’ misuse of technology posed a potential threat).  Yet this is a real issue. This was confirmed in another study released this month by the Ponemon Institute – 2016 Cost of  Insider Threats – which showed that organizations are spending on average $4.3 million annually to mitigate and resolve insider threats. “Companies perceive insider threats as mostly driven by malicious employees, but the fact is that a significant portion of the risk is due to insider carelessness.”

The Ponemon report polled 280 IT and security practitioners from medium and large organizations. It found a total of 874 insider incidents over the course of a year, 65% of which were caused by employee or contractor negligence, 22% by malicious employees or criminals, and about 10% by imposter fraud. The security incidents from negligence cost the respondents about $207,000 per incident and about $2.3 million annually.

But both studies point out that what companies are doing to combat what has been termed “the human factor,” or an employee’s misuse of technology, is not enough. As noted in the Ponemon report, the “training programs that companies have are just not very good. They are really focused on check-the-box compliance requirements to show everyone that [the] company [has] training on data protection.” Wells Fargo noted, “[c]yber risk management is first and foremost about education,” and this applies to companies both big and small. In the domain of imposter fraud alone, where a fraudster gains access to the email account of a company’s senior executive and then requests a payment, the professional risk practice at Well Fargo handles five to ten of these incidents each week, from clients that are not well-known brands.

In addition, the time to contain these insider-related incidents correlates directly to the total cost to the company. The Ponemon study showed that it took more than 60 days to contain the incident or attack for 58% of their sample, with another 20% experiencing containment within 30 days.

So what should companies be doing? Companies are most frequently using data loss prevention tools and mandatory user training and awareness. However, as the Ponemon study shows, deployment of user behavior analytics would result in the largest total cost savings, at $1.1 million (based on the mean value of $4.3 million), and could drive the most impact in terms of cost on investment. The recommendation is to focus on visibility and transparency – not on stringent controls – and to build “a layered defense that delivers a comprehensive range of capabilities across visibility, detection, context and rapid response.”

© Polsinelli PC, Polsinelli LLP in California

Employee Error Accounts for Most Security Breaches

security breachesA recent study by a well-known information security company captures one of the most common information security fallacies: that information security is a technology problem. Most businesses view mitigating information security risks as falling squarely in the purview of their information technology department. However, this study reports that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.1 While technological measures (e.g., anti-virus software, access controls, firewalls, and intrusion detection systems) are clearly important, their effectiveness pales in comparison to the benefits gained by effective security awareness training.

Just as troubling, another recent study found a 789% increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.2 Phishing, which is an attempt to obtain confidential information or access by fraudulently posing as a legitimate company seeking information via e-mail, instant message or other electronic communication, specifically preys on employees who have not been trained to recognize the scam. A successful phishing expedition can result in the loss of confidential and financial information, system disruption and consumer litigation exposure. Every industry is impacted and at risk.

The results of these studies should serve as a clarion call to businesses. While we have long known that the human component is the key to improved security,3 it is also one of the most neglected areas in many business’ information security programs. Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.

Awareness training can ensure employees have a solid understanding of employer security practices and policies, as well as the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, uninformed employees are susceptible to mistakes, malware, phishing attacks, and other forms of social engineering. They can do substantial harm to a company’s systems and place its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.

First and foremost, it is critical that training programs have the participation of and include input from all relevant stakeholders at the company, including Human Resources, IT, Information Security, Legal, and Compliance.

Key aspects of any successful training program should also include the following:

  • Train on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization

  • Train creatively, not just in a non-interactive classroom setting

  • Look for means to introduce interactivity into the training process

  • Have a means of measuring progress

To be truly effective, a security awareness program must provide “multiple methods of communicating awareness and educating employees as well (for example, posters, letters, memos, web based training, meetings, and promotions).”[1]

Training can be conducted through a number of means:

  • Classroom sessions

  • Webinars

  • Security posters and other materials in common areas

  • Brown bag lunches

  • Helpful hints distributed to employees via e-mail or corporate intranet posts

  • Simulated phishing attacks (e.g., systems that will periodically send phishinge-mail to employees attempting to lure them into clicking on an attachment or a hyperlink and then alerting the employee that they have engaged in an insecure activity)

Additionally, having comprehensive and understandable employee policies is critical to a company’s information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.

Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer’s systems, but also helps in better securing the employee’s own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, the employee will become more vigilant in using home e-mail accounts and thereby protect their own data, photographs, financial accounts, etc.

3 See, e.g., Common Sense Guide to Mitigating Insider Threats, 4th Edition.

Data Privacy and Data Security; Two Sides of the Same Coin A Conversation with Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc

The National Law Review - Legal Analysis Expertly Written Quickly Found

Cybersecurity is an important issue facing companies and legal departments across the country.  With high profile, and sometimes embarrassing, data breaches dominating news coverage, data security and privacy have become major concerns.  Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc. will be speaking at the Inside Counsel SuperConference on May 12th, 2015 to give insight into these very important issues.  He will speak on a panel entitled: Cybersecurity Regulations: What you Need to Know.

Manzo says, “There is a drumbeat of data security issues permeating both the mainstream and legal press, and while individuals may have different levels of understanding and engagement, I’m sure that awareness of these issues is high.” There are differing perspectives and approaches on the issue– risk management and policy on one end of the spectrum, technical issues on the other–but importantly, the conversation is underway and there is cognizance at companies, at all levels, of the important of these issues.

Manzo believes a discussion of cybersecurity must consider both data security and data privacy.  He defines data security as, simply, knowing where your data is located, and who may access the data. Data privacy is predicated on data security and requires further understanding how personal data is being collected, processed (and by whom), and transferred, and the consistency of these practices with applicable laws, regulations, and the reasonable expectations of the relevant consumers.   Manzo says, “Data security and data privacy are two sides of the same coin, and we trade that coin for consumer trust.”

Since our modern world is so dominated by data, by its collection, its use, and its analysis, both companies and consumers realize that who we share information with and what they do with it is an important issue.  Manzo uses the term “good data hygiene” to describe what consumers and companies should work towards, and how it is both a company and a consumer’s responsibility to be aware of these issues.  Consumers would do well to acquire a basic understanding of what data they’re sharing and with whom, while companies, Manzo says, “need to be responsible stewards of consumers’ personal information.”

Manzo says, “Data security and privacy should be part of the DNA of a company.”

Data security and privacy are clearly not just IT issues anymore, but instead, Manzo says, “extend into all areas of an organization.”  From a company perspective, good data hygiene requires a strong command of data security and a robust privacy program.  Manzo also advocates that companies be transparent with consumers and customers about their data security and privacy practices.  Transparency requires a company to be aware of what data is being collected and from whom, and what is done with that data–who processes the information, if it is not done in house, and where the information is stored or transferred.  Beyond that, a company should have rules and policies in place to protect the information, and should incorporate data security and privacy into employee training, so that all employees are aware of the issues and concerns.

Manzo says, “Transparency allows you to be upfront and clear with consumers.  You can say, here’s what data I collect, here’s how I use and protect your data, and here’s what might happen to that data.”  Consumers, in turn, need to understand the data they are sharing and reasonably evaluate the attendant risks and benefits, and thereby make an informed decision about sharing their information.

However, it is not just between consumers and companies.  Legislation and regulation have a role to play as well.  “The Federal Trade Commission has a significant role to play in data privacy and security issues, and they have raised consumer and industry awareness of the responsibilities that go hand in hand with using personal information,” Manzo says.  Looking forward, legislation and regulation will play a major role in how companies manage data privacy and security. A clearer, more unified set of rules and laws governing data security and privacy practices, as well as breach notifications, likely enacted on the federal level, would be helpful for consumers and companies.

Right now, companies struggle with a patchwork of laws and regulations.  For example, Manzo says, “to respond to a breach, a company must first pull out a matrix of laws and regulations and determine which apply to the situation.  The patchwork of rules creates unnecessary complexity and slows breach response and notification efforts.”  Moving forward, Manzo says, “more unification of breach response and breach notification laws will be a benefit to consumers and industry.”

Our data soaked society is here to stay, and most have accepted that the risks of having our information available is outweighed by the benefits and the convenience it affords.  That said, more understanding, transparency, awareness and clarification can help consumers and companies move forward in this brave, new, information-saturated world.

You can find more information about the Inside Counsel Super Conference here.


The Data Security and Breach Notification Act of 2015

Jackson Lewis P.C.

On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is identified as the “Data Security and Breach Notification Act of 2015.”

The overview of the draft provides that “Data breaches are a growing problem as e-commerce evolves and Americans spend more of their time and conduct more of their activities online. Technology has empowered consumers to purchase goods and services on demand, but it has also empowered criminals to target businesses and steal a host of personal data. This costs consumers tens of billions of dollars each year, imposes all kinds of hassles, and can have a lasting impact on their credit.”  Like many existing state laws, the proposal would require companies to secure the personal data they collect and maintain about consumers and to provide notice to individuals in the event of a breach of security involving personal information.

The draft legislation contains several key provisions:

  • Companies would be required to implement and maintain reasonable security measures and practices to protect and secure personal information;

  • The definition of personal information is more expansive than most state breach notification laws, including home address, telephone number, mother’s maiden name, and date of birth as data elements;

  • Companies are not required to provide notice if there is no reasonable risk of identity theft, economic loss, economic harm, or financial harm;

  • Companies would be required to provide notice to affected individuals within 30 days after discovery of a breach;

  • The law would preempt all state data breach notification laws;

  • Enforcement would be by the Federal Trade Commission (FTC) or state attorneys general; and

  • No private right of action would be permitted.

The measure must now be formally introduced in the House of Representatives before further action can be taken.  Notably, similar measures introduced in the past in an effort to nationalize data breach response have all failed.  However, given the number of individuals affected by, or likely to be affected by, a data breach and the fact identity theft has topped the FTC’s ranking of consumer complaints for the 15th consecutive year, support for a national data breach notification law has never been stronger.


Workplace Privacy Blog

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).