This January, President Obama announced a series of initiatives aimed at protecting consumer data. One of these proposals is the Personal Data Notification and Protection Act (\u201cPDNPA\u201d or \u201cAct\u201d), which would create a federal standard for data breach notifications. If passed, businesses will need to know these new requirements to prepare adequately for a data breach and to avoid potential litigation should one occur.<\/p>\n
The proposed PDNPA would cover any business that \u201cuses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information\u201d of more than ten thousand people in a one-year period. Such business would have to give notice to the owners of the information in the event of a \u201csecurity breach\u201d unless, \u201cthere is no reasonable risk of harm or fraud.\u201d<\/p>\n
Under the PDNPA, sensitive personally identifiable information includes 1) an individual\u2019s first name or first initial and last name paired with any two of the following: home address, telephone number, mother\u2019s maiden name, and\/or birth date; 2) social security number, driver\u2019s license number, passport number, alien registration number, or government-issued identification number; 3) biometric data; 4) financial account, debit card, or credit card number and other financial information; 5) username and password to an online account; or 6) any combination of: an individual’s first name and last name or first initial and last name, certain financial account information, and\/or information that can be used to generate access codes, security codes, and passwords. The Act would also give the Federal Trade Commission (\u201cFTC\u201d) the authority to promulgate regulations identifying additional sensitive personally identifiable information.<\/p>\n
A security breach of such information would occur when there is a \u201ccompromise of the security, confidentiality, or integrity of\u201d the information, or if the information is lost, and it results in the unauthorized acquisition of sensitive personally identifiable information or unauthorized access to the information, or there is a reasonable basis to conclude that it has resulted in the unauthorized access or acquisition. When a covered business discovers a security breach it will have to give notice to the affected individuals without unreasonable delay\u2014not to exceed thirty days minus an exception\u2014unless there is no reasonable risk of harm or fraud to the individuals involved.<\/p>\n
The PDNPA would give enforcement authority to the FTC, with violations of the requirements categorized as unfair or deceptive acts or practices in commerce under the Federal Trade Commission Act. In the absence of this congressional grant, the FTC\u2019s authority to regulate data security policies of businesses is currently being disputed in FTC v. Wyndham Worldwide Corporation. <\/em><\/p>\n The PDNPA would not give a private right of action for violations of the Act. State attorneys general would have the authority to bring a civil action against a business in violation of the Act seeking enjoinment, compliance, and fines up to one thousand dollars per day, per affected individual (with a maximum of $1,000,000 per violation unless willful or intentional). However, a state attorney general would have to give notice of the action and a copy of the complaint to the FTC and Attorney General prior to filing the action. The Attorney General would be able to prevent a state attorney general from filing the action if it would impede a criminal investigation or national security activity, or the FTC had already initiated a proceeding under the PDNPA against the defendant.<\/p>\n If passed, the federal data breach standard would supersede all state laws \u201crelating to notification by a business entity engaged in interstate commerce of a security breach of computerized data\u201d except for state laws requiring additional content in notifications.<\/p>\n Compared to Pennsylvania\u2019s data breach standards, for example, the federal requirements include more types of data in its definition of personally sensitive information.<\/p><\/blockquote>\n The federal data breach notification proposal also uses a more expansive definition of a data breach. Additionally, while the Pennsylvania law requires the\u00a0actual<\/em>\u00a0access\u00a0and<\/em>\u00a0acquisition of data that materially compromises the security or confidentiality of the data for an event to qualify as a data breach, the federal standard would classify both 1) an actual unauthorized acquisition\u00a0or<\/em>\u00a0access to sensitive personally identifiable information, and 2) a\u00a0reasonable basis to conclude\u00a0<\/em>there was an unauthorized acquisition\u00a0or<\/em>\u00a0access of the information as a security breach that triggers the Act’s requirements\u00a0when the data has been lost, or there has been a compromise in its security, confidentiality, or integrity.<\/p>\n Businesses that developed their data security procedures based on Pennsylvania law (or other state laws with less-stringent data breach reporting requirements) will need to revise their data breach response policies if Congress passes the PDNPA.<\/p>\n","protected":false},"excerpt":{"rendered":" This January, President Obama announced a series of initiatives aimed at protecting consumer data. One of these proposals is the Personal Data Notification and Protection Act (\u201cPDNPA\u201d or \u201cAct\u201d), which would create a federal standard for data breach notifications. If passed, businesses will need to know these new requirements to prepare adequately for a data<\/p>\n","protected":false},"author":5,"featured_media":255,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52,17],"tags":[],"coauthors":[53],"class_list":["post-253","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compliance","category-student-authored","masonry-post","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"yoast_head":"\n