The proposed requirement, part of the administration’s cybersecurity legislative proposal submitted to Congress last month, would standardize national data breach notification requirements for US businesses.
“To date one of the frustrating things in compliance has been the variance between the 46 state breach notification laws plus the District of Columbia. One of the frustrating things is how do you comply with so many requirements when almost every breach involves residents across the country in multiple states”, McIntosh told Infosecurity.
“Some laws relate just to electronic information, some relate to electronic and paper, some have special requirements as to when notification is required, some have different content requirements for what has to be in the notice itself….This is a compliance burden for sure”, he said.
The administration’s proposal would standardize requirements and preempt state law, McIntosh explained. “The good part of this bill is that there is some standardization and it does preempt state law”, he said.
At the same time, the proposal has a much broader definition of what constitutes sensitive personally identifiable information that triggers a breach notification than state laws and other proposals that have been introduced in Congress over the years, McIntosh observed.
The administration's legislative proposal defines sensitive personally identifiable information as follows:
“The term ‘sensitive personally identifiable information’ means any information or compilation of information, in electronic or digital form that includes—(1) an individual’s first and last name or first initial and last name in combination with any two of the following data elements: (A) Home address or telephone number; (B) Mother’s maiden name; (C) Month, day, and year of birth; (2) A non-trucated social security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number; (3) Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation; (4) A unique account identifier, including a financial account number or credit card or debit card number, electronic identification number, user name, or routing code; or (5) Any combination of the following data elements: (1) An individual’s first and last name or first initial and last name; (B) A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code; or (C) Any security code, access code, or password, or source code that could be used to generate such codes or passwords.”
McIntosh said that this proposal contains a much longer “laundry list” of information disclosures that would trigger notification than the current state laws. “If somebody discloses the name, address, and birth date of a person, that triggers a notification”, he said.
In addition, McIntosh noted that the administration proposal includes disclosure of a “unique physical representation” of a person as a breach that requires notification. “Does this include a photograph?” he asked, adding “I’ve never seen that formulation.”
“So it’s much broader than name and government or financial issued number, which is what a majority of the state laws list as protected information”, McIntosh said.
At the same time, the class of businesses to which the requirement applies is narrower than many state laws, he noted. The requirement applies to businesses that have stored information for more than 10,000 individuals during any 12-month period. “So if you are a business that doesn’t keep this type of information for more than 10,000 individuals, then the law doesn’t apply to you”, he said. “They are trying to create some room for small businesses”, he added.
The notice requirement under the administration proposal is similar to state laws, but it allows companies to contract the process to a third party, McIntosh said. Notification can be done by phone, mail, or email, if the business has permission to communicate with the person by email, he noted. If the size of the breach is over 5,000 people affected, the business must notify through the media, he added.
The Obama administration’s proposal is unlikely to emerge unscathed from the legislation process. The US Chamber of Commerce and many House Republican lawmakers have expressed opposition to various sections of the proposal. The national breach notification requirement provisions will be not exception.