New Federal Bill Would Preempt State Data Security Breach Notification Laws
Rep. Marsha Blackburn (R-Tenn) recently introduced H.R. 1770, legislation intended to establish a framework of national data security breach laws, to the House Energy and Commerce Committee. The bill, called the Data Security and Breach Notification Act, will preempt all state data breach laws and replace them with one federal data breach standard. The goal of the bill is to make compliance with data breach requirements easier for U.S. companies, as there are currently 47 states (and the District of Columbia) with separate and distinct data breach laws.
Under H.R. 1770, a company that “acquires, maintains, stores, sells, or otherwise uses data in electronic form that includes personal information”[i] must “implement and maintain reasonable security measures and practices to protect and secure personal information.”[ii] Companies whose security is breached will still have notification requirements, however, such notification(s) can be avoided if there is “no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was affected by the breach of security.”[iii] In the event more than 10,000 individuals’ personal information is “accessed or acquired by an unauthorized person”, the breached company will be obligated to notify the Secret Service and/or the Federal Bureau of Investigation.[iv] The Federal Trade Commission and State Attorneys General will have enforcement powers under the law if it is enacted.[v]
The House Energy and Commerce Committee approved H.R. 1770 on April 15 and will potentially see floor action the week of April 20 under Chairman Fred Upton’s (R-Mich) guidance.
[i] Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 5(5) (2015).
[ii] H.R. 1770 at § 2.
[iii] H.R. 1770 at § 3(a)(3).
[iv] H.R. 1770 at § 3(a)(5).
[v] H.R. 1770 at §4(a)-(b).