Secure and Fortify Electronic Data Act

Congresswoman Mary Bono Mack stated during a hearing this week that “we are not going to take it anymore,” referring to her efforts to pass comprehensive data notification breach reform, in response to the recent announcements by Sony and Epsilon of its major data breaches. As Congresswoman and Chairwoman of the Commerce, Manufacturing and Trade Subcommittee, she also stated that the recent massive data breaches convinced her for the need to introduce the Secure and Fortify Electronic Data Act.

The law would give authority to the Federal Trade Commission (FTC) jurisdiction to promulgate rules “to establish and implement policies and procedures” for securing personally identifiable information (PII). This means that the FTC would develop and codify a set of best practices for securing PII, along with parameters and guidelines for providing consumer notices for data breaches.

The law would apply to an entity that “owns or possesses data containing personal information related to that commercial activity, including an information broker and any third party” that has contracted to maintain such data will be covered under the proposed law.

The proposed regulation outlines several data security requirements that would have to be implemented by any entity that owns or possesses data containing PII, such as (1) a security policy, (2) a person designated as the security point of contact, (3) a security verification and auditing process, (4) a security compliance plan, (5) a process for disposing of PII data, and (6) a data minimization requirements so that data is not stored longer than necessary

An entity that owns or possesses PII that suffers a breach of data must take the following steps: (1) notify law enforcement within forty-eight hours, (2) they must conduct a security assessment to stop current and foreseeable breaches, (3) they must within 48 hours of discovering a breach the entity must determine whether it presents “a reasonable risk of identity theft, fraud, or other unlawful conduct” aimed at the consumer, (4), if the answer to the risk question is yes, then the entity must: (a) notify the FTC of the breach, and (b) they must also notify every consumer whose data was compromised.

The proposed rule has a notice carve-out for third parties. For example, if a third party suffers a breach of PII data that it “maintains or processes” for a client, the third party must notify the client to advise them of the breach. The notified party must subsequently follow-up the notice requirements for breached parties. The problem is that the third-parties are still subject to the fines listed below if they fail to meet their notice obligations. In this instance, third-parties can be liable for fines of up to $11,000 in daily fines with a ceiling of $5,000,000.

Finally, the proposed rule does not allow private rights of action, but the FTC, State Attorneys General and other consumer protection state agencies are granted jurisdiction to enforce the law.