On July 20, 2011, the U.S. House of Representatives Energy and Commerce Committee's Trade Subcommittee approved the Secure and Fortify Electronic Data Act (the "SAFE Data Act"). The Act would require any business that maintains personal information to implement an information security program and notify affected individuals in the event of an information security breach. The SAFE Data Act would preempt the over 45 existing state information security and breach notification laws and task the Federal Trade Commission with developing information security rules implementing the Act.
On May 3, 2011, the Federal Trade Commission announced that Ceridian Corporation and Lookout Services, Inc. agreed to settle the FTC's allegations that the companies failed to safeguard their business customers' employee personal information. Ceridian's services include payroll processing, payroll-related tax filing, benefits administration and other human resource services for business customers. Lookout provides a web-based computer product that is designed to help employers comply with their obligations under federal law to complete and maintain a U.S. Citizenship and Immigration Services Form I-9 about each employee in order to verify that the employee is eligible to work in the United States.
Many of us have watched over the past few years as dozens of proposed federal data security and breach notification bills have been introduced, often with bipartisan support, but have failed to become law. This year has seen many of the usual proposals. For those of you keeping track, this year's bills include: Rep. Rush's Data Accountability and Trust Act -- HR 2221; Sen. Leahy's Personal Data Privacy and Security Act - S. 1490; Sen. Feinstein's Data Breach Notification Act - S. 139; and Sens. Carper's and Bennett's "Data Security Act of 2010" - S. 3579. However, 2010 has also seen new and expansive proposals for broad and far-reaching data privacy legislation, including Rep. Boucher's "discussion draft" and Rep. Rush's "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (or "BEST PRACTICES Act"). Most recently, on August 5, Sens. Pryor and Rockefeller introduced the "Data Security and Breach Notification Act of 2010" - S. 3742 (hereinafter "S. 3742" or the "Act"). S. 3742 is much more akin to the more traditional proposed breach notification and data security legislation mentioned above, and not nearly as ambitious as the draft Boucher Bill or the BEST PRACTICES Act. This post summarizes the key provisions in S. 3742.
We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security." This week we see another. Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards.