Data Breach Notification Bills: What You Need to Know

In 2014, the retail industry was inundated with breaches at companies like Neiman Marcus, Home Depot, Staples and Michaels. And the list goes on and on.

So it shouldn’t come as a surprise that, in the first five months of 2015, there’s been an onslaught of proposed data breach legislation—seven bills looking to do something about the 258 business-related breaches that happened last year (if you’re counting). 

At the moment, nearly every state has its own approach to data breach response, but a national standard doesn’t exist. It’s a good thing that legislators are taking the data security problem more seriously, but all these bills are getting a little difficult to tell apart. To help you keep them straight, we’ve created a cheat sheet for the seven data breach notification bills that are currently under consideration in Congress. 

As of June 2, 2015, all of these bills were waiting in line to appear on the floor of the House or Senate, though the House Financial Services Committee did have a hearing on May 15 to educate Congress on data breach security, titled “Protecting Consumers: Financial Data Security in the Age of Computer Hackers”. 

Here are the bills:

1. Data Security and Breach Notification Act of 2015 (H.R. 1770)

Proposed by: Republican Marsha Blackburn

What it would do: Companies would be required to contact customers not only if their information was stolen by cyber criminals, but also if those criminals merely accessed the information. The FTC will then be at liberty to issue penalties to companies that went against the security rules outlined in the act. The proposed legislation also incorporates specific mandates for Internet service providers and private-sector businesses that work with sensitive information. You can get more information on this bill here

What it means for businesses: Because the breach security and response procedures don’t stray far from what already exists for individual states, the cost of compliance for most businesses would likely be small. 

2. Data Security Act of 2015 (H.R. 2205)

Proposed by: Financial Institutions and Customer Credit Subcommittee Chairman Randy Neugebauer and Financial Services Committee member John Carney

What it would do: This act would impose equal responsibility for all the players involved in securing sensitive payment data. It also shows an understanding of the specific security capabilities of small businesses by creating data security expectations that are scalable, depending on the business. 

What it means for businesses: Under this legislation, companies will be required to create a plan for safeguarding sensitive information, assign one employee the responsibility of overseeing these measures, analyzing risks, monitoring the status of the company’s plan and improving or changing realistic security measures in accordance with changes to available technology. 

3. Personal Data Notification and Protection Act of 2015 (H.R. 1704)

Proposed by: Democrat James Langevin 

What it would do: This act would set very specific and thorough parameters for notifying customers of a data breach. It’s targeted toward businesses that work with the sensitive information of over 10,000 customers over a 12-month timeframe. Should a company find out that a security breach occurred, they would have 30 days contact affected customers and key media if a single state’s population of affected customers reaches 5,000. From here, the Department of Homeland Security will be charged with assigning the responsibility to monitor future problems with the business and ensure that the Secret Service, FBI and FTC are alerted should the breach grow beyond 5,000 individuals or involve the personal information of over 500,000 individuals (even if they’re not directly affected). Should a company analyze its own post-breach risk and find that there is no foreseeable threat, the FTC will perform its own analysis and decide whether they qualify for an exemption from the required steps for notifying customers. You can get more information on this bill here

What it means for businesses: If you have less than 10,000 customers each year, you’d be exempt from this law. However, if you’re a large business, this is one to keep an eye on, as it could have major implications and prove costly for your business, especially in the event of a breach.

4. Data Security Act of 2015 (S. 961)

Proposed by: Democrats Tom Carper and Roy Blunt

What it would do: This act puts the responsibility on individual companies (including financial institutions and retailers) to evaluate a data breach’s reach, the type of data either potentially or definitely accessed by hackers, and the likelihood of that stolen information leading to fraud or theft of a customer’s identity. You can get more information on this bill here

What it means for businesses: If the company determines that there’s a high risk, they’ll be required to contact the proper federal government agent, along with law enforcement officials and those impacted by the breach. Should the breach impact over 5,000 individuals, “national consumer reporting agencies” must be contacted. 

5. Consumer Privacy Protection Act of 2015 (S. 1158)

Proposed by: Democrats Pat Leahy and Elizabeth Warren

What it would do: The most notable part of this act is the implementation of seven new categories of “protected information.” A company would be required to contact individuals should any of those categories—social security numbers, information about customers’ bank accounts, usernames and passwords for online accounts, biometric data, health information, geolocation data, private videos and photos—be compromised. The act would also enforce disclosure of breaches impacting social networks and cloud email services. It wouldn’t override current, state-specific laws on privacy. You can get more information on this bill here

What it means for businesses: If your business captures or stores any of the data mentioned above, it’s important to remain vigilant when it comes to breaches that impact consumer privacy, whether this law passes or not.

6. Data Security and Breach Notification Act of 2015 (S. 177)

Proposed by: Democrat Bill Nelson

What it would do: This act would put the regulation responsibility on the FTC to ensure that all companies that either handle personally identifiable information or have that information handled by a third-party service are compliant with security measures regarding that data. Under this act, it’d be the responsibility of the Department of Homeland Security to implement a notification procedure should more than 10,000 customers be directly affected, or if hackers access a database that contains data for over 1 million people. Notification requirements include the Secret Service, FBI, FTC, U.S. Postal Inspection Service in cases where mail fraud occurs, attorney generals in states impacted by the breach and other federal agencies on a case-by-case basis. 

What it means for businesses: If a business is found to have kept a breach hidden, and that breach leads to an individual impact of $1,000 or more, penalties include a fine and/or as much as five years imprisonment. 

7. Data Breach Notification and Punishing Cyber Criminals Act of 2015 (S. 1027)

Proposed by: Republican Mark Kirk and Democrat Kirsten Gillibrand

What it would do: While limited information is currently available about this act, it appears that it wouldn’t only set breach notification standards for financial data, but also for individuals’ medical information. This legislation would also impose both fines and imprisonment for theft of identity and personal information. 

What it means for businesses: Like all of the bills mentioned above, this one could prove vexing for companies who are implicated in a data breach scandal. 

While these breaches vary in their requirements for disclosure and implications around punishment for businesses that hide a breach, one thing is clear: soon, enforcing proper security and disclosure procedures by law will be the norm on a national level. And though larger companies may feel the impact of this legislation more strongly in certain scenarios, this is a topic that affects businesses of all sizes.