In part one, we took a look at some of the bill’s basic characteristics, its political context, and its likely prospects. In this part, we’ll address what we see as some areas of concern with the bill:
Complexity, Imprecision — The bill sets forth a very dense, complex regulatory framework for data security and protecting consumer’s privacy, both for data brokers (Title III) and for most organizations that maintain customer databases (Title IV) — however, the bill contains specific exemptions for the financial services and healthcare industries which are already covered by, respectively, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. Indeed, many organizations that do not now employ full-time staffers to look after data security and privacy will need to devote new resources and personnel in this area to manage the program requirements spelled out in Title IV — if nothing else, (and if enacted) the bill would also no doubt be a great boon to privacy and security consultants.
There has also been speculation and concern recently regarding whether the bill would in fact cover the operators of large email discussion lists, stemming from the bill’s use of a rather broad definition of “business entity.” In another area of imprecision, the bill also requires that the privacy programs spelled out in Title IV protect against the use of personal electronic records “that could result in substantial harm or inconvenience to any individual” (Sec. 402). It remains unclear what is meant by “substantial harm” or “inconvenience.”
Further, the privacy programs must be assessed and updated on a regular basis to account for changes in (among other things) technology, sensitivity of personal information, and internal and external threats. Considering that businesses can be held civilly liable for security violations under the bill, there would appear to be a real incentive for getting these assessments correct.
Notification Exemptions — The bill also includes a number of potentially troubling exemptions to the notification requirement. For starters, Sec. 424 specifies an exemption from notification requirements if, after the completion of a risk assessment performed in consultation with law enforcement, it is determined that “there is a de minimis risk of harm to the individuals” whose information is at issue in a security breach. The section also includes a so-called “fraud prevention” exemption whereby an organization would not be subject to the notification requirement if the nature of the information disclosed in a security breach “cannot be used to facilitate transactions or facilitate identity theft to further transactions with another business entity.”
Preepmtion — As written, S. 1332’s data breach notification provisions (see Sec. 427) appear to preempt individual state notification laws to some extent. While it is not clear how much preemption there is in this bill, this provision may trouble state policymakers and privacy advocates. State laws can often be stronger, more tailored to a specific state’s needs, and more adaptable than federal law. In fact, many state-level policymakers were pushing for a federal law that would allow states the freedom to enact stronger, and often more experimental, policies — for example, see the recent testimony of Vermont’s attorney general before a recent Senate Commerce Committee hearing on ID theft solutions.
We will of course post updates about the bill and its progress here.