While privacy legislation languishes in Congress, a number of states enacted new laws in 2014 to strengthen data breach notifications in the wake of the highly publicized data breaches at Target Corp., Neiman Marcus, and other retailers. Three states – Florida, Kentucky, and Iowa –enacted new laws in 2014, with another one in California on the verge of being signed.
On August 27, the California legislature sent a bill (AB 1710) to the governor to expand requirements for maintaining reasonable security practices and procedures to businesses that maintain, in addition to those that own or license, the personal information of California residents. The bill requires that if the party notifying consumers of a data breach is also the party responsible for the breach, the party must offer free identity theft prevention and mitigation services to consumers for one year if the breach might have exposed Social Security numbers or driver's license numbers.
Florida’s new law (SB 1524), which went into effect on July 1, is one of the strictest in the country. It requires notice to the state attorney general and affected state residents within 30 days unless “good cause” is shown for the delay. It mandates notice of breaches of a user name or e-mail address, along with a password or security question and answer, for an online account. It also requires consulting law enforcement if the business or state agency suffering the breach decides not to notify.
The prospects for Congressional action on data breach legislation have narrowed significantly as a result of disagreements within industries over who bears the costs of notification, and between business groups and privacy advocates over the need for state preemption. Those disagreements center around a bill (S. 1976) by Sen. John Rockefeller (D-WV) that would authorize the Federal Trade Commission (FTC) to enforce new rules requiring retailers and other companies to protect sensitive consumer data, such as credit or bank account information, and to notify individuals in the event of a breach. The FTC has been criticized for taking enforcement actions against just a small percentage of the hundreds of data breach cases it has investigated.
At a Technology Policy Institute Forum in Aspen, Colorado on August 18, FTC Commissioner Julie Brill noted that the agency has initiated 53 data security settlements under Section 5 of the Federal Trade Commission Act, which prohibits “unfair and deceptive” trade practices. However, at a hearing of the Senate Commerce Committee in March, FTC Chairwoman Edith Ramirez said legislation was needed to grant the FTC civil penalty authority, Administrative Procedure Act rule-making authority, and jurisdiction over non-profits organizations.
“Under current laws, the FTC only has the authority to seek civil penalties for data security violations with regard to children’s online information under [the Children’s Online Privacy Protection Act] or credit report information under the [Fair Credit Reporting Act],” Ramirez said. “To help ensure effective deterrence, we urge Congress to allow the FTC to seek civil penalties for all data security and breach notice violations in appropriate circumstances.”
Likewise, she said, “enabling the FTC to bring cases against non-profits would help ensure that whenever personal information is collected from consumers, entities that maintain such data adequately protect it.”