In an effort to standardize data breach laws nationwide, Rep. Marsha Blackburn (R-Tenn) introduced H.R. 1770 to the House and Energy Commerce Committee this past week. Called the Data Security and Breach Notification Act, it aims to replace all state data breach laws with one federalized standard. Currently, 47 states and the District of Columbia have separate and distinct data breach laws. Rep. Blackburn’s legislation intends to make it easier for U.S. companies to adhere to data breach requirements by creating uniformity.
If passed, H.R. 1770 would require any company that “acquires, maintains, stores, sells or otherwise uses data in electronic form that includes personal information”[i] to “implement and maintain reasonable security measures and practices to protect and secure personal information.”[ii] While companies with security breaches must have notification requirements, such notifications can be evaded if there is “no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was affected by the breach of security.”[iii] However, in cases where more than 10,000 individuals’ personal information is “accessed or acquired by an unauthorized person,” the breached company would be required to inform both the Federal Bureau of Investigations and/or the Secret Service.[iv] If enacted, the legislation would give enforcement powers to state Attorneys General and the Federal Trade Commission.[v]
Following its approval by the House Energy and Commerce Committee on April 15, H.R. 1770 is expected to potentially see the floor under the guidance of Chairman Fred Upton (R-Mich) sometime the week of April 20.
[i] Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 5(5) (2015).
[ii] H.R. 1770 at § 2.
[iii] H.R. 1770 at § 3(a)(3).
[iv] H.R. 1770 at § 3(a)(5).
[v] H.R. 1770 at §4(a)-(b).