The proposed policy would not apply to healthcare organizations and their business associates that already must comply with the HITECH Act breach notification rule, which has similar requirements. Otherwise, the policy would apply to for-profit and not-for-profit business entities that engage or affect interstate commerce and use, access, transmit, store, dispose of or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.
The policy would require the reporting of security breaches to the Federal Trade Commission, and the individuals affected, within 60 days unless there is no reasonable risk of harm or fraud. The FTC can grant a business entity an extension of up to 30 days to allow time for the entity to conduct further investigation. The proposal defines a breach as a "compromise of the security, confidentiality or integrity of, or the loss of, computerized data" that results in "unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose."
The proposed policy would include two major exemptions, or safe harbors. A business would be exempt from the notification requirements if it conducted a risk assessment that concluded that there is no reasonable risk that a security breach has harmed individuals whose sensitive personally identifiable information was subject to the breach. Also, a breach would not have to be reported if the data were rendered unusable, unreadable or indecipherable through a security technology or methods generally accepted by IT security experts.
The president's proposal also includes a financial fraud prevention exemption in which a business would be exempt if it participates in a security program that effectively blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual and provides for notice to affected consumers after a security breach that has resulted in fraud or unauthorized transactions.
EnforcementThe FTC would be responsible for enforcement, along with state attorneys general, who could take civil action against violators. Civil penalties would total up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct is found to be intentional.
Besides notifying the FTC and individuals affected, businesses would have to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For these larger breaches, businesses also would have to notify national credit reporting agencies.
Certain breaches also must be reported to an entity designated by the Secretary of Homeland Security. These include: cases affecting more than 5,000 individuals; breaches involving a database containing information on more than 500,000 individuals nationwide; breaches involving databases owned by the federal government; or breaches involving employees or contractors to the federal government involved in national security or law enforcement.
In addition to the White House proposal, Rep. Cliff Stearns R-Fla, and Rep. Jim Matheson, D-Utah, introduced this week H.R. 1841, the Data Accountability and Trust Act of 2011. An aide to Stearns says the measure is similar to earlier legislation that passed the House Energy and Commerce Committee in 2006. Like the White House proposal, the bill would require institutions to notify consumers of security breaches unless there is no reasonable risk of identity theft.