To determine whether there is a reasonable risk of identity theft, covered entities must consider a number of factors. The proposed legislation requires covered entities to evaluate whether the data contains sensitive personal information usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized party likely to commit identity theft. The notice provisions related to consumers are very similar to the state provisions – written or electronic notice and substitute notice under certain circumstances.

Like the majority of state laws, under the ITPA, covered entities would not have to notify consumers of a breach when notice would materially impede a civil or criminal investigation or when notification would threaten national security. The ITPA would be enforced by the FTC, as well as other relevant federal agencies (e.g., the Securities and Exchange Commission would have power to enforce the ITPA with respect to broker/dealers). Although civil penalties are authorized under the ITPA, there would be no private right of action.

c. The Personal Data Privacy and Security Act.
The Personal Data Privacy and Security Act (PDPSA) is also currently pending in the Senate. It was introduced on September 29, 2005 by Senators Arlen Specter [R-PA], Russell Feingold [D-WI], Dianne Feinstein [D-CA], and Patrick Leahy [D-VT].12 The bill has been sent by the committee to be considered by the entire Senate. The PDPSA does not apply to financial institutions, entities covered by HIPAA, or any business that qualifies for exemption under the Safe Harbor provision. The Safe Harbor provision exempts businesses that provide protection equal to industry standards, as identified by the FTC.

All other agencies or business entities engaged in interstate commerce that use access, transmit, store, dispose of, or collect sensitive personally identifiable information, would be required to notify any resident of the United States whose information has been, or is reasonably believed to have been accessed or acquired. This notification must be provided without unreasonable delay. Sensitive personally identifiable information is defined as an individual’s first name or first initial and last name, and:

• a non-truncated social security number, driver’s license number, passport number, or alien registration number;
• two of the following;
  o home address or telephone number;
  o mother’s maiden name;
  o complete birth day;
• fingerprint, voiceprint, retina or iris image, or any other unique physical representation; or
• a unique account identifier, electronic identification number, user name, or routing code, in combination with any associated security code, access code, or password.

Additionally, sensitive personally identifiable information includes a financial account number, credit card number, or debit card number, “in combination with any security code, access code, or password that is required for an individual to obtain money, goods, services, or any other thing of value.”

The notification provisions would not apply to an agency, if the agency certifies in writing that notification may hinder an investigation or cause damage to national security. Businesses would not have to follow the notification provisions if a risk assessment indicates that there is no significant risk of harm to the individuals and the business notifies the Secret Service of the results of the risk assessment without unreasonable delay but not later than 45 days after the breach. Businesses would also be required to notify the Secret Service of their intent to invoke the risk-assessment exemption. The Secret Service would then have 10 days to compel the business to provide notice.

Businesses that are required to disclose security breaches under the PDPSA would be required to provide individual notice and media notice. The individual notice requirements would be satisfied by providing written notice, telephone notice to the individual personally, or e-mail notice if the individual consented to receive such notice. Additionally, if more than 1,000 individuals are involved, the agency or business must notify all consumer credit reporting agencies.

Additionally, the agency or business must give notice of the security breach to the Secret Service if the number of individuals affected exceeds 10,000, if the database accessed contains sensitive personally identifiable information of more than 1,000,000 individuals, if the breached database is owned by the federal government, or if the sensitive personally identifiable information is that of federal government employees or contractors.

Like the ITPA, the PSPDA would completely preempt state laws regarding security breach notifications. The proposed legislation expressly prohibits private causes of action for injuries related to security breaches, but it does provide for civil penalties in actions instituted by the Attorney General.

continued, page 5 »