Data Breach Notification Laws - A Peek at the Proposed Data Security Legislation

Data Breach Notification Laws - A Peek at the Proposed Data Security Legislation
Page content

Moving Toward a Unified Set of Cybersecurity Laws

The Cybersecurity Legislative Proposal finally has been transmitted to Congress, as the federal government is stepping up with its initiatives to address cyberspace security. The proposal includes the Unified Data Breach Notification Laws, which represent the set of standard network security rules to be observed by all U.S. business entities operating via the Internet.

The related paper, Cyberspace Policy Review, reveals that the current responsibilities in handling Internet security are distributed among different government offices, departments and agencies. Authorities, policies and procedures either overlap or are insufficient for addressing security issues and for mitigating the related risks. These clearly derail the nation’s bid for global participation as they undermine the nation’s confidence over the network system. This takes into consideration that almost everyone performs or carries out day-to-day activities inside the Net.

Brief Info About the Recent High-Level Cyber Attacks

2007 Internet Crime Report

The need to step up the proposal’s legislative approval and implementation comes in the wake of the recent incidents of high-profile data security breaches. Our vulnerability is highlighted by the recent string of attacks that began last March, 2011. Cyber criminals were able to infiltrate RSA – the security arm of EMC Corporation, a leading management and storage solutions provider.

Although the company immediately made public the attack against their SECUREID product, the breach enabled attackers to eventually gain access to higher value targets. Accordingly, there is a great possibility that the criminals obtained complete or partial data over RSA-assigned customer encryption keys along with the corresponding serial numbers.

Sony, Lockheed Marin, Northrup Grumman and L-3 Technologies likewise disclosed that their security systems have been attacked. Lockheed, in particular, was penetrated through an element of RSA’s SecurityID. The most recent to have been victimized is Citigroup; the credit card company publicly announced that hackers were able to gain access to the account numbers, e-mail addresses and phone numbers of about 200,000 Citi-cardholders.

In all these cases, details about the full extent of the breaches are scarce, while these companies are still operating without preparedness to impose appropriate security breach laws. Networking enterprises, on the other hand, are being burdened with different state laws and regulations for cybersecurity. Hence the clamor for government actions in addressing these serious cyber threats has intensified.

1. Highlights of the Proposed Data Breach Legislation


The proposed enactment aims to educate the Internet user by providing full description of the following terminologies in relation to the proposed legislation:

What Constitutes Security Breach? – This denotes that the security and integrity of computerized data has been compromised or lost, and that there are reasonable grounds to conclude that:

  • Sensitive Personally Identifiable Information (SPII)” has been stolen.
  • The theft of the SPII makes possible the unauthorized use of said information

What is considered as a non-violation of data security? – All lawfully authorized investigations, protection or intelligence activities of any law enforcement or intelligence agency of the U.S. or of its state, or of a lawfully recognized political subdivision of a state.


What is included under the term “Sensitive Personally Identifiable Information (SPII)”? This refers to any information that was electronically or digitally compiled, which include the following:

  • A person’s last and first name.

  • A person’s first initial and last name.

  • The specified person’s home address, telephone number, mother’s name and exact date of birth (MM/DD/YY).

  • The specified person’s valid, up-to-date and unexpired (1) social security number (2) driver’s license number, (3) passport number (4) alien registration number, and (5) other government-issued identification number.

  • Biometric data that are uniquely identifiable as belonging only to the person named. Examples of these biometric data are fingerprints, voice-print, retinal or iris image, or any such physical attribute that is unique to the indiviual.

  • Account codes assigned as official identifier of the person, and used as his or her identification code for other business transactions, e.g., credit or debit card numbers, electronic ID numbers, user name or routing code.

Authority of the FTC

The Federal Trade Commission (FTC) was given the authority to decide if a person’s SPII has been compromised or stolen based on the following premises:

(a) A particular combination of any electronically compiled information is regarded as sensitive, personally identifiable information of the individual/s involved.

(b) Any particular information can stand alone as sensitive, personally identifiable information pertaining to the individual/s concerned.

2. Notification Rules


As a general rule, all business entities involved in interstate commerce that make use of electronically or digitally compiled SPII for more than 10,000 individuals during a 12-month period are required to notify said individuals in the event that their personal data have been compromised or stolen. Notifications may be given to an authorized third party, which includes the owner or the licensee to the SPII that was breached.

Exemption from the notification rule – A business entity becomes exempt from the notification rule only if the owner of the SPII breached or the authorized third party makes the actual notification regarding the data breach.

Another exceptional case exists if a federal law enforcement agency deems that the notification requirement will impede a criminal investigation or a national security activity. In line with this, the authorized federal agency shall issue a written notice to the business entity concerned that delay in notifying the affected individuals is necessary.

When should the notification be made? – All notifications shall be made immediately and without unreasonable delay after the discovery of the security breach. In addition, the FTC may request proof or evidence that notification was actually complied by the business entity.

When is a delay in notification considered as reasonable? – Under ordinary circumstances, unreasonable delay should not exceed 60 days from the date of discovery of the breach. Delay in notification is allowed only if the business entity has provided the FTC with ample justifications and evidence that a delay of notification will:

  • Allow the entity to determine the extent or scope of the security breakdown.
  • Prevent the business entity from making further disclosures or conduct risk assessments.
  • Be necessary in order to restore the integrity of the security system as well as to provide information about security incidents, threats or vulnerabilities as required by the Secretary of Homeland Security.

The FTC shall determine if such an extension for delay of notification is necessary and shall grant, in writing, an additional period of 30 days. Additional periods assessed as necessary by the FTC shall not exceed 30 days for each extension request.

3. Methods of Notification


All business entities shall give notice of any incidents of security breach by sending out individual notifications to all concerned and by way of media if the number of affected individuals per state exceeds 5,000. The media notification ensures that information about the security breach immediately reaches the concerned residents of that state.

What should the individual notices contain? – The individual notices shall provide:

  • A description of the type of SPII that was believed to have been exposed to unauthorized access.
  • A toll-free number that the affected individual may use in order to get in touch with the business entity or its authorized agent or to extract specific details as to the type of SPII that the business entity maintains.
  • A toll-free telephone number and addresses of the FTC and credit-reporting agencies.
  • The notice shall include a statement that the business entity has a direct business relationship with the affected individual.
  • [A U.S. state may further require that the notice should contain additional information]( WG41o0) regarding state-provided victim protection assistance being extended to the public.

What other organizations require notifications?

If the business entity provided notifications to more than 5,000 individuals, it is also required that notices be given to all consumer reporting agencies maintaining consumer files on a nationwide basis.

The National Homeland Security, United States Secret Service, the Federal Bureau of Investigation and the Federal Trade Commission shall likewise receive immediate information, which must be within 72 hours before individual notices are sent, if:

  • The number of affected individuals whose SPII have been breached exceeds 5,000.

  • The security breach affects a database, including those that operate under networking systems, or any other data-storing system that contains the SPII of more than 500,000 individuals on a nationwide scale.

  • The security breach affects a database owned by the federal government.

  • The SPII of individuals known by the business entity to be employees or contractors of the government handling matters related to national security or law enforcement.

4. Enforcement Laws to Be Imposed on Those Who Will Not Comply

(1) FTC’s Unfair or Deceptive Acts or Practices and other regulations which may be determined by the FTC as required or authorized for the purpose.

(2) Civil Actions to be filed by a U.S. state’s attorney general or by virtue of any statutory law that requires prosecution against violators of consumer protection laws.

Inasmuch as the information provided in this article contains only highlights of the proposed Data Breach Notification Laws, readers will find the complete details in a White House publication entitled “Legislative Language - Law Enforcement Provisions Related to Computer Security ." (Find the link in the reference section below.)

Reference Materials and Image Credit Section:


Image Credits: