The Data Security and Breach Notification Act of 2010

To help protect personal information on the Internet and elsewhere, California enacted seminal legislation in 2000, which was significantly strengthened with the passage of SB 1386 in 2002. Since then, other states have enacted similar legislation.

State activity, however, may be preempted by proposed federal legislation. On August 5, 2010, S. 3742, the Data Security and Breach Notification Act of 2010 (the “Act”), the most recent federal effort to preempt state laws on the subject, was introduced by Sen. Mark Pryor (D,AeeArk), chairman of the Subcommittee on Consumer Protection, Product Safety, and Insurance, and co-sponsored by Sen. John D. Rockefeller IV (D,AeeW.Va.), Chairman of the Senate Commerce Committee. Less protective of consumers than California law, among other things, the Act:

(1) Preempts any state or local law or regulation covering the same subject matter and the entities subject to regulation by the FTC and non-profits;

(2) Creates a “risk of harm threshold,” so that, if a covered entity determines that there is “no reasonable risk of identity theft, fraud, or other unlawful conduct” resulting from the breach, no notification or other action is required;

(3) Eliminates the private right of action for victims afforded by California law and the laws of other states;

(4) Precludes any action by state or local law enforcement agencies during the pendency of an FTC enforcement action; and,

(5) Caps the exposure of violators to $5,000,000 for each violation of the information security provisions of the Act, and to $5,000,000 for all violations of the notification provisions of the Act arising from a single data breach.

The Act also vests the FTC with primary jurisdiction and the right to engage in extensive rulemaking to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration (A) the size of, and the nature, scope, and complexity of the activities engaged in by, such covered entity; (B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (C) the cost of implementing such safeguards;

The Act also defines “personal information” more narrowly than Cal. Civ. Code § 1798.80 by, among other things, eliminating personal health information from the definition although it does grant the FTC rulemaking authority to expand the definition. In an August 19, 2010 letter, a coalition of business interests including the U.S. Chamber of Commerce, the Financial Services Roundtable, the National Retail Federation, the American Financial Services Association, and the Consumer Data Industry, raised concerns over the proposed FTC rulemaking authority.

According to media reports of the August 19 letter, the objecting coalition of business interests is concerned that the breach notification requirements of the measure, when applied to “minor” breaches, would unnecessarily alarm unaffected consumers and could unreasonably impede interstate commerce. The letter goes on to state that permitting the FTC to expand a definition that is at the core of the applicability of the proposed federal statute is an inappropriate delegation of Congressional authority to the rulemaking capacity of an enforcement agency, and that this critical function should require Congressional action and not be abdicated to unelected officials.

The Act has the qualified support of Consumers Union.

There is a remote possibility that floor action on the Act may take place toward the end of this year.