The protection of personal data is in the midst of important legislative changes namely in the United States and in the European Union (EU). On the other side of the Atlantic, a new Bill, known as the “Data Security and Breach Notification Act” was introduced in the Senate. The Bill aims at protecting consumers by requiring reasonable security policies and procedures to protect personal data and to provide for nationwide notice in the event of a breach of security.
The latter is defined as events which “compromise the security, confidentiality, or integrity of, or loss of, data in electronic form that results in, or there is a reasonable basis to conclude has resulted in, unauthorized access to or acquisition of personal information from a covered entity” (Section 6).
The General Data Protection Regulation (GDPR, Regulation n°2016/679) holds an analogous definition of personal data breaches : “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4, 12°). The GDPR will be coming into force on May 25th, 2018. It harmonizes and reinforces the protection of personal data within the EU. This is not the only similar aspect both Acts have.
Mathias Avocats provides an overview of the Bill and a comparison with the GDPR.
What is the Bill’s scope?
The Data Security and Breach Notification Bill concerns “each entity that owns or possesses data containing personal information, or contracts to have any third-party entity maintain or process such data for such converted entity” (Section 2, a), 1)).
This provision is very similar to the scope of the GDPR in the sense that the latter applies to data processors and controllers. The data controller determines, alone or jointly with others, the purposes and means of the processing of personal data whereas the data processor processes the personal data on behalf of the controller (Article 4, 7° and 8° of the GDPR). However, these definitions are extensive compared to the Bill’s seeing as a data processor/controller can be a natural person.
Moreover, the GDPR is applicable to data controllers or processors not established in the EU if the processing activities are related to the offering of good or service to data subjects within the EU or to the monitoring of their behavior (Article 3 of the GDPR). The Bill will only be applicable in the United-States.
The Bill also contains broad exceptions. It will not apply to financial institutions subject to and in compliance with the Gramm-Leach-Bliley Act and to other entities subject to and in compliance with various Acts such as the Health Information Technology for Economic and Clinical Health Act and the Social Security Act.
What are the obligations under the Bill?
The covered entities shall establish and implement policies and procedures regarding information security practices for the treatment and protection of personal data. Section 2, a), 2) of the Bill sets out six elements the policies and procedures will have to include:
- “a security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information;
- the identification of an officer or other individual as the point of contact with responsibility for the management of information security;
- a process for identifying and assessing any reasonably foreseeable vulnerabilities in each system maintained by the covered entity that contains such personal information;
- a process for taking preventive and corrective action to mitigate any vulnerabilities;
- a process for disposing of data in electronic form containing personal information by destroying, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or indecipherable;
- a standard method or methods for the destruction of paper documents and other non-electronic data containing personal information”.
In this context, the Bill covers several articles of the GDPR. For example, the “process for identifying and assessing any reasonably foreseeable vulnerabilities” in systems containing personal information is akin to a Data Protection Impact Assessment. The latter is a means by which to evaluate risk to the rights and freedom of data subjects according to the nature, scope, context and purposes of the processing. It can be a useful tool when drafting a security policy and implementing measures ensuring an appropriate level of security.
Furthermore, data controllers are under an obligation to notify any personal data breaches to the supervisory authority and data processors must notify such breaches to the controller (article 33 of the GDPR). Finally, The GDPR also provides for the erasure of personal information with the right to be forgotten.
Who must be notified?
Section 3 of the Bill provides that each individual “a citizen or resident of the United-States (…) whose personal information was or is reasonably believed to have been acquired or accessed (…) as a result of the breach of security” as well as the Commission must be notified. If the data processing is entrusted to a third-party, that party must notify the covered entity.
Notifications must be done in writing and within 30 days after the date of discovery of a breach of security or as promptly as possible if notice could not feasibly be given within 30 days.
Once again, a parallel can be drawn between the GDPR and the Data Security and Breach Notification Bill. The time given to notify is the same. However, under the GDPR a supervisory authority must be notified and communication of the data breach must be made to the individuals only when the breach is “likely to result in a high risk to the rights and freedoms of natural persons” (article 34 of the GDPR).
What are the sanctions?
A covered entity which violated the Bill may be subject to injunctions and civil penalties up to over $5,000,000 (Section 5, c)). Within the European Union, data processors and controllers can subject to administrative fines up to 10.000.000 euros or 20.000.000 euros according to which article of the GDPR was violated. Such sums aim at having a deterrent effect.
If the Bill is adopted, it will be the first comprehensible Federal Act regulating the collection and use of personal data in each State. It will provide an extensive framework. Currently, only 48 States have passed security breach notification laws.
It appears that the Data Security and Breach Notification Bill takes up several requirements from the GDPR. Nonetheless, it remains to be seen in practice how the Bill will operate and how similar it is to the GPDR. Let us underline that the Federal Trade Commission will promulgate regulations for the covered entities’ obligations within a year of the enactment of the Act (if the Bill is adopted).
Mathias Avocats will keep you informed of further developments and can advise you on any question regarding the protection of personal data.