Last week, we took a look at Senate Finance Committee Ranking Member Ron Wyden’s (D-OR) “Consumer Data Protection Act” discussion draft, not to be confused with Senator Bob Menendez’s (D-NJ) “Consumer Data Protection Act” (S. 2188), a data security and breach notification bill. As discussed at some length, in short, Wyden’s bill would vastly expand the power of the Federal Trade Commission (FTC) to police both the security and privacy practices off many U.S. and international multinational companies. The FTC would receive the authority to levy fines in the first instance, potentially as high as the European Union’s General Data Protection Regulation of 4% of annual gross revenue. Moreover, the operative definition of the “personal information” that must be protected or subject to the privacy wishes of a consumer is very broad. The bill would also sweep into the FTC’s jurisdiction artificial intelligence (AI) and algorithms (i.e. so-called big data).
While the “Consumer Privacy Protection Act of 2017” (H.R. 4081) from the 115th Congress also focuses on data security, it still contains provisions that would require those entities covered by the bill to better protect consumers’ privacy. Representative David Cicilline (D-RI) sponsored the House bill and is now the chairman of the House Judiciary Committee’s Antitrust, Commercial and Administrative Law Subcommittee that is conducting an investigating into possible anti-competitive practices in the technology industry. 11 other House Democrats cosponsored this bill, which was not considered at all in the last Congress. Senator Patrick Leahy (D-VT) and some Senate Democrats introduced S. 2124, a bill that is substantially similar to the House version.
Not surprisingly, this bill would make certain conduct related to data security subject to possible criminal liability. This would differentiate this bill from a number of the other bills, save for Senator Ron Wyden’s (D-OR) discussion draft. A likely reason for this difference is that a number of the sponsors of both bills serve on the Judiciary Committees, and in order for data security and privacy bills to be referred to those committees there must be matter in the bill subject to the jurisdiction of those committees. However, this is not to suggest there is merely craven politics at work. Instead there is likely legitimate concern that the problems presented by these areas will not be solved absent stiff penalties for egregious conduct.
Generally, covered entities must design a consumer privacy and data security program tailored to the risks associated with the entity’s data activities, including conducting risk assessments, managing and controlling risks, performing vulnerability tests, and periodically assessing and upgrading hardware, software, and technology. Covered entities would include almost all entities except those in compliance with the Financial Services Modernization Act of 1999 (aka Gramm-Leach-Bliley) or Health Insurance Portability and Accountability Act of 1996 (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) Act and “service providers” (i.e. ISPs that are solely engaged in the “transmission, routing, or temporary, intermediate, or transient storage of [electronic] communication.” An additional exception exists for those entities that would be otherwise covered, for there is a threshold of collecting, using, storing, transmitting or disposing at least 10,000 people in any 12-month period before the data security requirements of the bill attach.
“Sensitive personally identifiable information” is defined as “any information or compilation of information, in electronic or digital form that includes” the usual sort of information policymakers want protected (e.g. Social Security number, driver’s license, biometric data, etc.) However, this definition sweeps into it the types of data protected under HIPAA/HITECH Act regulations, geolocation data, financial account numbers or credit or debit card numbers, and password-protected digital photographs and digital videos not otherwise available to the public.
The FTC is directed to promulgate regulations under APA notice and comment procedures, but the phrasing suggests the FTC’s latitude in drafting regulations may be limited. The bill provides that covered entities must comply with “following safeguards and any other administrative, technical, or physical safeguards identified by the FTC in a rulemaking process…for the protection of sensitive personally identifiable information.” Consequently, covered entities would need to understand and hew to the new consumer privacy and data security program laid out in Section 202(a) and the subsequent “other administrative, technical, or physical safeguards identified by the FTC” in a rulemaking, possibly leading to additional to be determined requirements. Additionally, the choice of the word “identified” is what seems to be key here. A fair reading of this provision is that the FTC would merely identify the additional standards as opposed to a traditional rulemaking under which the agency would have greater discretion to determine the standards with which entities should comply. Additionally, the bill stipulates covered entities must “implement a consumer privacy and data security program pursuant to this subtitle” within one year of enactment. However, there is no timeline by which the FTC must promulgate its regulations. So, covered entities would need to read the requirements in Subtitle A of Title II (i.e. Consumer Privacy and Security of Sensitive Personally Identifiable Information) and make their best effort to comply and then wait for the FTC’s additional regulations at some point in the future.
With respect to enforcement, either the Department of Justice (DOJ) or the FTC could file civil litigation in federal court. Both agencies could seek fines of up to $16,500 per individual whose sensitive personally identifiable information has been breached with a cap of $5 million on total fines unless the conduct is found to be willful and intentional at which point fines would be uncapped. Like the other bills, the FTC may treat alleged violations of the new security and privacy regime as a “unfair or deceptive act or practice in commerce in violation of a regulation,” allowing the agency to pursue civil fines in the first instance. State attorneys general could also bring actions under this section but usually only after alerting the DOJ and the FTC.
H.R. 4081 does not create a private right of action for consumers allegedly harmed by a breach but it explicitly does not preempt avenues a consumer could file a lawsuit under state laws (e.g. tort or contract actions). Likewise, the bill sets a floor for security and privacy standards and only those state laws less stringent than the new federal regime would be preempted.
As mentioned, some failures to meet the requirements of this bill would result in criminal liability. Title I of the bill would make it a felony to conceal a security breach of sensitive personally identifiable information. However, any such person accused of concealing such a breach must have knowledge of the breach, must “intentionally and willfully” act to conceal, and the breach must result in economic harm to at least one person in the amount of at least $1,000. This title would also require the Department of Justice (DOJ) to report on the number of prosecutions under the Computer, Fraud and Abuse Act (CFAA) related to exceeding authorization on a computer system or unauthorized access to a computer system. The federal government would also receive authority to shut down bot networks.