On December 8, 2009, while struggling with health care reform, financial industry overhaul, a spiraling deficit, the risk of a double-dip recession, and all of the other headline-grabbing events of the past months, the House of Representatives took an important step in pushing forward legislation which could, if enacted, have a significant impact on almost every company in the United States. This new proposal, together with a number of recently adopted state laws, should spur action by companies that collect or maintain information about their customers, vendors and employees — that is, every company that does business in the United States!
Ever since California passed the first law requiring companies to notify individuals of potential security breaches, companies have been faced with an increasing volume of often contradictory laws governing breach notification — as of this date, 45 states, the District of Columbia, Puerto Rico and the Virgin Islands have adopted separate, non-uniform laws governing the notification of security breaches. Because more and more companies, large and small, do business in a variety of states through the Internet, mail and physical presence, the existence of a wide variety of laws with different requirements makes an effective response time-consuming and expensive. Even more, because of the wide variety of laws, it is possible that by complying with the law in one state, a company could violate it in another.
By passing the HR 2221, the Data Accountability and Trust Act, the House of Representatives took an important step in creating a nationwide law governing breach notification. This is the first time any such statute has made it to the floor of either the House or the Senate.
While it may be premature to assume that legislation will be passed through both houses and signed by the President, the contours of a law are beginning to take shape and companies should begin to consider its impact. Unlike most breach notification laws, the Act requires that an entity holding data containing personal information adopt security measures to protect that data. In another departure from existing laws, the entity must also notify affected consumers in the event of a breach unless the entity determines there is "no reasonable risk of identity theft, fraud, or other unlawful conduct."
The first issue — the obligation to adopt security measures to protect data — requires immediate attention. Only a few states have adopted similar requirements, but even if Congress delays adopting HR 2221, companies can expect this standard to be the norm. As a result, we recommend that all companies revisit their information security policies and implementation to consider how they can prepare for this new standard.
Robert Braun is a Partner at Jeffer Mangels Butler and Marmaro LLP in the Firm’s Corporate Department. Bob’s practice, spanning more than 20 years, focuses on corporate, finance, and securities law with an emphasis on implementing technologies, information security, hospitality and business transactions. For more information, contact Bob at 310.785.5331 or RBraun@JMBM.com.