A Q&A with Dominic Paluzzi McDonald Hopkins
In late January 2015, the White House introduced the Personal Data Notification and Protection Act (PDNPA), a data breach notification bill, intended to improve national cybersecurity. I asked attorney and breach coach Dominic Paluzzi of McDonald Hopkins about how this bill differs from the existing laws and its potential implications for risk managers.
Can you explain the PDNPA?
Right now we have 47 different state data breach notification laws and the PDNPA was created to try to simplify matters. These state laws are based on the residency of affected individuals so even with a small breach an organization can be dealing with 20, 30, or 40 different state laws. The idea of getting one Federal breach notification law has really gained traction in recent years, and while there have been several Federal bills in the making, this is the first one to gain the President’s stamp of approval.
Will this act override the existing state breach notice laws?
One of the major concerns is that the PDNPA covers only computerized data, while many of the state laws encompass hardcopy (paper) data loss as well. So if an organization suffered a breach involving paper documents only, arguably the PDNPA wouldn’t cover that incident and you would have to look back to the 47 state laws. Another gap lies in who this law applies to: as it’s stated it applies to business entities, organizations, corporations and partnerships, but leaves out public entities and state agencies. It also only applies to businesses that collect, use, access and/or store more than 10,000 individuals’ records during a 12-month period, leaving out smaller and some mid-size companies. I doubt the intention is to remove breach reporting obligations altogether for these markets.
What are some other differences of concern to risk managers?
A big shift is that the bill defines “breach” as not only unauthorized acquisition of sensitive personally identifying information (SPII), but also encompasses the mere unauthorized access to SPII. That’s very different from many state breach notice laws that stipulate that the data must be acquired to be considered a breach. Under these terms there will be many more breaches requiring notice—consider a malware situation when you have no confirmed exfiltration or acquisition of data, but know that access to SPII is likely, for instance. This common situation often goes unreported under the state laws, but would now require notification under the PDNPA.
Another change is that the PDNPA defines SPII much more broadly, adding elements like mother’s maiden name, home address, date of birth, user name, and routing code. Credit or debit card data, even without the name or security code, would constitute SPII. The same goes for Social Security numbers, bank account information, driver’s license numbers, passports and user names; unlike the state laws, a name need not be coupled with this information to qualify it as SPII under the PDNPA. This is a major departure from the state laws and, in my opinion, a game changer if it passes in its current state.
In terms of notice, the bill requires an organization to report a breach that affects more than 5,000 individuals to major media outlets, which is not required by any state law outside of the substitute notice requirements. Speaking of substitute notice, no such option exists under the PDNPA. Also, notice to the Department of Homeland Security will be required for breaches over 5,000, within 10 days. Even if you determine through a risk assessment that there is no risk of harm or fraud, the FTC will get to see your risk assessment. This goes far beyond what is required in most states now. The PDNPA would require the government be brought into many more privacy incidents, even when there’s no legal obligation to ultimately notify affected individuals about the breach.
It’s definitely as stringent—if not more so—in how it broadens the definition of SPII
Another issue is that if a vendor suffers a data breach and takes on the notice obligation for the owner of the data, the vendor is still required to list the name of the party that has the relationship with the recipient of the letter. If the PDNPA passes, gone are the days of hiding behind your vendor that had the breach.
Is this bill as stringent as the stronger state notification laws, such as California’s?
It’s definitely as stringent—if not more so—in how it broadens the definition of SPII, and in terms of the timeliness for responses to affected individuals (30 days) and the government (10 days).
Are there any penalties for violators?
One of the reasons Federal bills have died in committee over the last three or four years is that the state attorneys general would lose their enforcement abilities under those prior bills. In this case, the state AGs would still have the ability to bring an action on behalf of their affected residents. Civil penalties are up to $1,000 per day, per individual affected, per violation—with a maximum of $1 million per violation. In addition, the FTC, along with the U.S. Attorney General, can bring an investigation and fine a company for unfair or deceptive trade practices and the FTC could bring down an even harsher penalty.
We want to thank Mr. Paluzzi for this concise explanation of a proposed regulation that could alter the landscape of certain cyber risk. The state AG’s statutory right of action and penalty structure alone could trigger many more cyber claim events. The other interesting item here is the bill’s stipulation of the FTC’s review and enforcement abilities, which strengthens the agency’s position as an active and overarching privacy watchdog.