Warning: trim() expects parameter 1 to be string, array given in /home/ebusine4/public_html/libraries/joomla/html/parameter.php on line 83
Warning: Parameter 2 to plg_ijseo_redirect() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
Warning: Parameter 2 to plgContentEmailCloak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
Warning: Parameter 2 to plgContentLoadModule() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
Warning: Parameter 2 to plgContentPagebreak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
The House Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic Data Act (“SAFE Data Act” or “Act”) On July 20, 2011 and it will now move to the full Energy and Commerce Committee for consideration.
The full text of the SAFE Data Act is available here. It applies to all persons and companies subject to the jurisdiction of the Federal Trade Commission (“FTC”) and any tax-exempt organizations under Section 501(c) of the Internal Revenue Code. It does not, however, apply to entities covered by HIPAA and Gramm-Leach Bliley in certain circumstances.
A few other notable highlights of this data privacy and breach notification act are as follows:
- The proposed SAFE Data Act applies to “personal information” which is defined as a consumer’s name, or address or phone number combined with one or more of the following pieces of information: social security number, government identification number (e.g., driver’s license number), or financial account identification number (if the codes or passwords needed to gain access to the financial account are included).
- The proposed legislation would preempt State and local laws that impose similar information security or breach notification requirements as to any covered entity and would preempt civil actions under State law for violation of information security or breach notification requirements unless brought by a State official.
- The SAFE Data Act would establish a national standard for when companies are required to notify consumers that their unencrypted personal information has been accessed or acquired as well as for notifying the FTC and law enforcement of a security breach.
- Notification to the FTC is required within 48 hours of discovering an information breach, and notification to consumers “as promptly as possible” but not later than 45 days after discovery of such breach. Notification can be delayed by law enforcement, the National Security Agency, or the Homeland Security Agency if it is determined that such notification will threaten an investigation or national or homeland security. Interestingly, this notification requirement, however, may be circumvented if a covered entity make a “reasonable determination that the breach of security presents no reasonable risk of identity theft, fraud, or other unlawful conduct ….” In this regard, the bill creates a presumption that “no reasonable risk of identity theft, fraud, or other unlawful conduct exists” if the disclosed data is unusable, unreadable, or indecipherable due to encryption or other security technology.
- Those covered by the proposal would be required to maintain policies and procedures concerning: (1) The collection, use, sale and other dissemination of data containing personal information, (2) A process for identifying reasonably foreseeable vulnerabilities through regular monitoring, (3) For taking preventive and corrective action; and (4) For properly disposing of data containing personal information in electronic and non-electronic form. Additionally, persons who own or possess data containing personal information must also establish a plan for minimizing the amount of personal information they keep.
For more information on this proposed Data Privacy and Breach notification legislation or on similar information security law, please contact Jason Shinn.