Proposed bill calls for a national breach notification standard
In the wake of the Equifax data breach that may have affected more than 143 million individuals, Rep. Jim Langevin (D-Rhode Island) has reintroduced legislation previously proposed to establish a single national breach notification standard, along with establishment of a federal regulator that would ensure information on a breach quickly reaches affected individuals.
The bill is H.R. 3806, entitled the Personal Data Notification and Protection Act. Alabama and South Dakota are the only states that don’t currently have a state breach notification law.
“There is much still to learn about the Equifax breach and its ramifications,” says Langevin in a statement. “What is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen.”
The bill as proposed would require healthcare organizations and other types of companies to notify affected individuals within 30 days of discovery of a breach of protected information and also calls for the Federal Trade Commission to establish processes to help coordinate breach notifications. However, notification would not be necessary if there is no reasonable risk of fraud or other harm.
In the healthcare industry, organizations that have experienced a data breach must notify the Department of Health and Human Services’ Office for Civil Rights within 60 days. However, with the ransomware/hacking epidemic and the prolonged time it takes providers to recover from an attack, that time requirement frequently is not met.
Under the proposed bill, in some cases a business entity normally required to provide notification of a breach won’t be required to do so if an owner or licensee of the information subject to the breach or another designated third party provides such notification. Other provisions include:
• Business entities can request an extension of additional time beyond the 30-day notification standard if necessary to better determine the scope of a breach, prevent further disclosures, conduct a risk assessment, restore data integrity or provide notice to the breach notification entity, upon approval of the FTC.
• The risk assessment must include logging data, “as applicable and to the extent available,” for at least six months before discovery of the breach. This data includes each communication or attempted communication with a database or information system containing personally identifiable information, as well as Internet addresses, and the date and time associated with attempted or completed communications. Further, all log-in information associated with protected information must be collected.
• The Secret Service or Federal Bureau of Investigation could determine if notification of a specific breach could reveal sources and methods that could impede law enforcement activities, including those being conducted by local police agencies, in which case notification would not be required.
• Breaches reasonably believed to have involved data that was accessed or acquired by an unauthorized person and affects more than 5,000 individuals must be reported to Secret Service and the FBI.
• Breaches involving a database, networked or integrated databases or other data systems containing protected information on more than 500,000 individuals across the nation also must be reported to Secret Service and FBI.
Rep. Langevin was not available for comment. The text of the bill is available here.