Nelson Pushing Consumer Data Protection

January 13, 2015

WASHINGTON – A key member of the Senate Commerce Committee said he wants Congress to pass legislation that would require companies to quickly notify consumers when there are data breaches.  The lawmaker, U.S. Sen. Bill Nelson (D-FL), said today he intends to file legislation that would do just that.   

Nelson, the ranking member on the Commerce Committee, announced his intentions a day after the president called on Congress to take such action.

The renewed push for consumer notification requirements comes in the wake of recent high-profile data breaches at large companies like Sony, Target, Home Depot and Staples and years of congressional inaction to tackle data security lapses.  

"How many more consumers will be affected before something is done?” said Nelson.  “Now is the time Congress must act."

Specifically, the bill would make companies, under most circumstances, notify consumers of data breaches within 30 days.  It also would direct the Federal Trade Commission (FTC) to develop security standards to help businesses protect consumers' personal and financial data.  Additionally, the legislation would provide incentives to businesses who adopt new technologies to make consumer data unusable or unreadable if stolen during a breach.

President Obama on Monday called for more stringent privacy protections for consumers and students during a speech at the Federal Trade Commission.  A more detailed proposal is expected out later today and the initiatives will be discussed in his upcoming Jan. 20 State of the Union address.  

Below is a draft summary of legislation Nelson is working on, as the bill is in the final stages of drafting:


Data Security and Breach Notification Act of 2015 – DRAFT SUMMARY 

The Data Security and Breach Notification Act of 2015 has two primary components: a data security mandate and a breach notification mandate. The bill would direct the FTC to promulgate data security rules for commercial and nonprofit organizations that own or possess data containing “personal information” or those that contract with third parties to maintain such data. Such entities would be required to develop a data security program. The Commission would be directed to consider the size, nature, and scope of activities; existing state-of-the-art protections for such data; and the costs of implementation, including its effect on small businesses.

The bill would define “personal information” as an individual’s non-truncated Social Security number or financial account number (including those for credit and debit cards) and any code or password, as well as a combination of various identifiers. Under the Administrative Procedure Act, the FTC would be able to expand the definition of personal information if it furthers the purpose of the Act and does not unnecessarily burden interstate commerce. 

It would also establish breach notification obligations in the wake of a data breach of electronic information. Specifically, the bill would require a breached entity to notify consumers of a data breach unless the company determines there is no reasonable risk of identity theft, fraud, or unlawful conduct as a result of the breach. In so doing, the bill would also establish a rebuttable presumption of an absence of such reasonable risk when the breached data is “rendered unusable, unreadable, or indecipherable through a security technology or methodology” as established by rules or guidance from the FTC in consultation with the National Institute of Standards and Technology (NIST). A breached entity would be required to notify consumers in a timely manner – no later than 30 days following the discovery of the breach – unless it is not feasible to provide such notice within that timeframe or unless the FBI or the Secret Service has notified the breached entity that notification would impede criminal investigation or national security. The bill also would provide for substitute notification – consisting of email, Internet postings, and print/broadcast media – under certain circumstances. Breached entities would also be required to provide affected consumers with free credit reports for two years unless the FTC determines that such a provision is not feasible due to excessive costs relative to the level of harm.

The bill would authorize both the FTC and state attorneys general to enforce the data security and breach notification provisions of the Act. Violations of the Act would be considered violations of a rule defining unfair or deceptive acts or practices under Section 18 of the FTC Act. By so doing, the FTC would be empowered to seek civil penalties for such violations in addition to its full panoply of equitable remedies. It would preempt state data security and breach notification laws.

Finally, to aid law enforcement, the bill would require covered entities to report security breaches to a federal entity to be designated by the Department of Homeland Security when the breach (1) is of a certain magnitude, (2) involves data bases owned by the federal government, or (3) involves information on personnel in national security or law enforcement. The Department of Justice would be authorized to enforce this provision of the bill, which would also establish criminal penalties for certain willful violations.