Highlights of the Secure and Protect Americans’ Data Act in U.S. House
The hearing on the Federal Trade Commission earlier this week revealed another proposed privacy bill in the U.S. House of Representatives. The Secure and Protect Americans’ Data Act (HR 3896) was introduced by Rep. Janice Schakowsky (D-IL), ranking Democrat on the Digital Commerce and Consumer Protection Subcommittee, on October 2, 2017. The bill has 9 co-sponsors and was referred to the Committee on Energy and Commerce
The Secure and Protect Americans’ Data Act would give the Federal Trade Commission less burdensome rulemaking authority and the ability to levy civil penalties on companies for data breach notification. The bill would also require companies that collect personal data to adopt security measures such as intrusion prevention systems and active breach monitoring.
The law would require the FTC to issue regulations within one year requiring reasonable security practices at covered entities. These regulations are to include a required for a written security plan, identification of an information security officer, a process for vulnerability monitoring, a process for vulnerability mitigation, a process for data deletion, employee training and an incident response plan.
Covered entities would need to engage in annual monitoring of its consumer privacy and data security program for relevant changes in technology, threats/vulnerabilities, and changing business arrangements.
When a company submits a breach notification to the FTC, it would also have to submit its security policies.
Information brokers would face special rules. They would need to establish reasonable procedures to ensure maximum accuracy of the personal information collected and maintained, unless it falls within the fraud database exception. They would also need to establish measures to facilitate auditing of internal or external access to the personal data.
The law would also require information brokers to provide each individual there personal information at no cost at least once per year if the individual submits a verifiable request. They would also need to place a conspicuous notice on their website notifying consumers how to request access to their information. Individuals would also have the right to dispute and correct their information. Both rights would be subject to limitations on certain requests by law or legally recognized privilege, certain governmental or fraud prevention purposes, or published media records.
Rather than give consumers the right to access and correct data, an information broker that uses, shares or sells information for marketing purposes may alternatively give consumers the option to opt out of such usage and must honor the request if submitted.
The proposed law would also prohibit information brokers from obtaining personal information by false pretenses or soliciting it under false pretenses.
Data Breach Notifications and Obligations
The data breach notification rule would require covered entities to notify each U.S. citizen or resident who has had personal information reasonably believed to have been acquired or accessed by an unauthorized person or used for an unauthorized purpose. The notification would have to come without unreasonable delay, but not later than 30 days after discovery of the security breach. Delay of the notification for law enforcement or national security purposes would be permitted.
Notification of the public would be required by a variety of means, including individual written or email notifications, website and media notification, and notification of law enforcement. Covered entities would need to notify the major consumer reporting agency when notifications of more than 5,000 individuals are necessary.
The content of notifications would include a description of the personal information subject to the breach, a general description of the incident and date, contact information for consumers, eligibility for services, the contact information of the major consumer reporting agencies and the contact information for reporting identity theft to the FTC.
Other obligations following breaches would include providing either consumer credit reports or credit monitoring, as well as a service that permits consumers to control access to their personal information and credit reports. This monitoring would not apply if the only information contained in the breach was first name, last name, address, phone number, credit or debit card number and required security code. It also does not apply if the data was encrypted and the breach did not include the cryptographic keys to enable decryption.
FTC Rulemaking and Enforcement
The FTC currently issues rules under the Magnuson-Moss Warranty Act, which is more burdensome than the Administrative Procedure Act (APA). The law would permit the FTC to issue rules for this law under the APA.
The law would provide for enforcement by the FTC and State attorneys general.
Key Definitions in the Law
The covered entities include any organization, corporation, trust partnership sole proprietorship, unincorporated association or venture over which the FTC has authority, as well as common carriers subject to the Communications Act and any nonprofit organization.
Information Broker would include commercial entities whose business is to collect or maintain personal information about individuals who are not current or former customers of the entity in order to sell the information or provide access to third parties in exchange for consideration. It does not include commercial entities that process information on behalf of third parties to enable the third party to provide benefits to employees or directly transact business with customers.
Personal information would be defined as:
– First name (or initial and last name along with 2 of the following: home address/telephone number, mother’s maiden name, birth date (month/day/year) and user name/email address.
– Driver’s license number, passport number, or similar government document number.
– Unique account identifier such as credit/debit card number.
– partial or complete social security number.
– unique biometric or genetic data such as faceprint, fingerprint voice print, retina image, or other unique physical representations.
– information to access a user’s account such as username and password or email and password.
– any security code, access code or password used to generate such codes or passwords in combination with other specified data elements.
– certain location information.
– health information or health insurance policy numbers.
– digitized or electronic signature.
– nonpublic communications or other user-created content.
– payroll records, income records, financial account records,s mortgage records, purchases and other specified information.
– any additional classifications specified by the FTC.
The law would preempt the state laws concerning data breach notification and information security practices. It appears as if other laws would not be preempted. As such, much of the California Consumer Privacy Act would likely remain enforceable under the current text of the bill.
Contact Clarip for Help with Your Privacy Program
The Clarip data privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping software, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie consent manager, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Other Blog Posts on Privacy Bills in the US House:
Internet Bill of Rights for Privacy
Information Transparency and Personal Data Control Act
New Privacy Bills: APPS Act and DATA Act of 2018
Highlights of Browser Act to Protect Privacy in U.S. House
BROWSER Act and Privacy Discussed in House Communications Subcommittee Hearing
Privacy Focus of Last Week’s DCCP Subcommittee Hearing on Digital Advertising
House Subcommittee Asks FTC Commissioners About Consumer Privacy
Do Not Track Kids Act Back in Congress