On April 30, 2009, Representatives Bobby L. Rush (D-IL), Clifford Stearns (R-FL), Joe Barton (R-TX), George Radanovich (R-CA), and Janice Schakowsky (D-IL) introduced H.R. 2221, the Data Accountability and Trust Act. This bill is a reintroduction of last year’s H.R. 958, which itself was a reintroduction of 2007 H.R. 4127.
H.R. 2221 establishes uniform national security breach notification requirements and mandates safeguarding policies and procedures for personal information maintained in an electronic format. H.R. 2221 includes broad preemption language, which would alleviate the burden of complying with the current patchwork of 44 state laws on security breach notification. Additionally, the bill contains a risk threshold, exempting from the notice requirement any person that “determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.” Encrypted data is presumed to be exempt; however, this presumption is rebuttable. The Federal Trade Commission would be granted the final say on the scope of the threshold. H.R. 2221 directs the FTC to issue guidance regarding the application of this exemption.
H.R. 2221 also includes a specific provision related to paper records. It requires the FTC to study the practicality of requiring a “standard method or methods for the destruction of obsolete paper documents … containing personal information.” If the FTC satisfies the conditions set forth in H.R. 2221, it may promulgate regulations requiring the use of such standard method(s) to destroy these obsolete documents. The bill also includes special provisions designed to target data brokers, including a requirement to give consumers access to review and correct records maintained about them.
The FTC will have primary, but not exclusive, enforcement authority. State attorneys general may also enforce the provisions of H.R. 2221, except when the FTC “has instituted a civil action for violation.” This grants state attorneys general broad enforcement authority if the FTC has not yet filed a complaint. Both the FTC and state attorneys general may collect civil penalties of up to $11,000 per violation. Each day of non-compliance is treated as a separate violation under the safeguarding provisions, and each failure to send a notice is a separate violation under the security breach notification provisions.
Finally, H.R. 2221 attempts to recognize other federal law on point. The bill grants the FTC authority to “determine to be in compliance … any person who is required under any other Federal law” with respect to the safeguarding provisions. In addition, the FTC may “determine to be in compliance … any consumer reporting agency … with respect to those products and services that are subject to and in compliance with the requirements” of H.R. 2221.
Given the broad authority H.R. 2221 grants to the FTC, it is not surprising that the agency strongly supports this bill. In testimony before the House Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection on May 5, 2009, Eileen Harrington, Acting Director of the FTC’s Bureau of Consumer Protection, offered two additional recommendations to “further enhance” the security of consumer data. The first was to broaden the scope of the bill to include consumer personal information in paper records among the material to be protected under safeguarding policies. The second was to make any provision applicable to data brokers compatible with the Fair Credit Reporting Act, and to focus on uses of information not covered by the FCRA. She cautioned that H.R. 2221 should not displace protections afforded consumers under the FCRA.
If enacted, the Data Accountability and Trust Act would be another law at the FTC’s disposal in its efforts to protect the security of consumer personal information and prevent the misuse of this information, particularly in connection with identity theft. Currently, the FTC can rely on Section 5a of the FTC Act, the Gramm-Leach Bliley Act and its implementing Financial Privacy and Safeguards Rules, the FCRA, and the FCRA’s Disposal and Red Flags Rules (n.b., the effective date of the Red Flags Rule has been delayed until August 1, 2009) for enforcement actions. Under these existing sources of authority, the FTC has instituted twenty-five law enforcement actions challenging businesses that allegedly failed to adequately protect consumers’ personal information. With the additional authority granted under the Data Accountability and Trust Act, FTC enforcement actions will likely increase in number.
The FTC’s most recent enforcement action with respect to information safeguarding was against the private mortgage lender James B. Nutter & Company (JBN). The FTC filed a complaint against JBN alleging that the company failed to safeguard consumer information in violation of the FTC’s Safeguards Rule and that the company failed to provide privacy notices and also provided inaccurate privacy notices in violation of the FTC’s Financial Privacy Rule. JBN settled with the FTC, agreeing to establish and maintain a comprehensive data security program and to hire an independent auditor to examine its security procedures every two years for the next 10 years.
While efforts to pass federal security breach legislation have been unsuccessful in recent years, there are signs that some type of data security and breach notification law will be enacted this session. Representative Rush appears committed to the issue and announced his intent to hold a joint hearing on consumer privacy with Rick Boucher (D-VA) and the subcommittee on Communications, Technology and the Internet, as well as to work on comprehensive privacy legislation.
Patty Covington is a partner in the Maryland office of Hudson Cook, LLP. Basis Points readers can reach Patty at 410.865.5409 or by email at pcovington@hudco.com.
Meghan Musselman is an associate in the Maryland office of Hudson Cook, LLP. Basis Points readers can reach Meghan at 410.865.5403 or by email at mmusselman@hudco.com.