In May, the White House proposed sweeping new legislation aimed at data breaches (the text of the law can be found here). The purpose of the proposed law is to simplify the various State reporting and notification obligations of companies when they (inevitably) lose the personal information of their customers, agents or employees. Generally speaking, those laws require companies to encrypt their data so as to avoid the harsh consequences of losing “clear text” personal information.
As I stated in a previous blog post, the proposed legislation creates new obligations on companies that handle personal information. In particular, when companies that are subject to the new law lose data, they will have to conduct a Risk Assessment as to the loss and notify the FTC of the results of the Risk Assessment. As in the past, centrally-managed encryption is one of the easiest ways to “pass” the Risk Assessment.
But what about small businesses? They are clearly covered by most of the State breach notification laws. Will they be subject to the proposed Federal law? Not necessarily. The new legislation only applies to those companies that possess “sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” (§101(a)). While some will certainly have that much data, many small (and even medium-sized) businesses will not have that many records. They will therefore not be subject to the new legislation.
So if the Federal law will not apply to small businesses, will the pre-existing State laws remain in effect for them? This is unclear. The proposed legislation includes a preemption provision stating that “[t]he provisions of this Title shall supersede any provision of the law of any State . . . relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data” (§109) (emphasis added). Did the White House intend to reduce the regulatory burden on small businesses? Possibly. But not likely.
As we watch for congressional action on this point to see if congress clarifies the applicability of the various breach notification laws to all businesses (see, for instance, Senator Leahy’s proposed Bill), the best course of action for every business is to encrypt its data. The common denominator for all of the legislation that we have been watching is that encryption protects companies from broad notification obligations.
No comments:
Post a Comment