3500 Lacey Road, Suite 100
Downers Grove, IL 60515
Yesterday the House Energy and Commerce Committee passed the Data Security and Breach Notification Act of 2015 by a vote of 29-20. We continue to support an effort to pass a federal preemption of state data breach laws to ensure that companies are subject to one notification requirement instead of a patchwork of laws – many of which are inconsistent with each other. Nevertheless, CompTIA continues to work with the Committee to address several concerns with the bill, and we hope to effect changes so that we can support the bill as it goes to the Floor.
The sponsor of the legislation, Rep. Marsha Blackburn (R-TN), offered a manager’s amendment that sought to make several changes to notification, PII and add in some health related provisions. Items addressed in the Blackburn’s amendment include:
Notification: In the legislation, the non-breached covered entity that has a written contract with the breached covered entity, may elect to provide notice instead of the breached covered entity. The managers amendment seeks to clarify the time frame in which this election must take place and the time frame in which the responsible party must then proceed to notify. It also addresses notification responsibilities as it relates to the discovery of additional individuals affected.
PII: On PII, it appears to have narrowed the definition of PII somewhat by requiring a more robust combination of information. The manager’s amendment ensures that PII must be accessed AND acquired (previously “OR”) to trigger a notification. An additional amendment expanded PII to include email addresses and user names in conjunction with passwords.
FTC v State AG Enforcement: No remedy was provided in the manager’s amendment to clarify that if the FTC proceeds with enforcement actions, a law suit brought by a State Attorney General should be extinguished and future suits estopped.
Healthcare Information: The manager’s amendment adds in a “place holder” for health information. While we believe this refers to non-HIPAA information, we will continue to watch this carefully.
We will continue to work on the issues we have concerns with, while also working to ensure the federal preemption we strongly support stays in place.