What a National Breach Notification Law May Look Like
President Obamas proposed legislative language to improve the nations cybersecurity does not require companies to harden their information networks.
But the legislation sent to Congress lays out the Presidents plans to establish a national breach notification rule, lift legal barriers to enable industries and government to share threat data, and change federal racketeering laws relating to fraud and related activity in connection with computers which would include deterring development and sale of computer and cell phone spying devices. The legislative language and plain-English summaries are available here.
The breach notification standard--requiring notification to affected individuals within 30 days of discovery and regardless of the size of a breach--would apply to a business entity, which would include any organization, corporation, trust, partnership, sole proprietorship, unincorporated association or venture whether or not established to make a profit. The legislation does not exempt any industry by name. Under HIPAA, the healthcare industry presently has a 60-day notification requirement.
While the definition of a business entity is broad, the proposed national breach notification standard does not apply to all such entities. The standard would apply to any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period.
Security breaches are defined as a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in, (1) the unauthorized acquisition of sensitive personally identifiable information (SPII); or (2) access to SPII that is unauthorized or in excess of authorization. The definition of sensitive personally identifiable information covers about two dozen types of numbers, accounts, demographics, codes, usernames and passwords.
There are exceptions to the 30-day notification period if a business entity seeks additional time from the Federal Trade Commission or for law enforcement or national security purposes.
Further, the legislation includes a safe harbor exemption from notification to individuals if a mandated risk assessment shows no reasonable risk that a breach has resulted or will result in harm. No reasonable risk exists where data that was rendered unusable, unreadable or indecipherable through a security technology or methodology generally accepted by experts in the field of information security. Business entities taking this safe harbor must notify the FTC within 30 days of the assessment. Notification to local or statewide media is required if a breach affects more than 5,000 individuals.