The HITECH Act's data breach notification requirement is the first such requirement to come from the federal government, but it most likely will not be the last. And from what I can tell, the harm threshold observers have been concerned about in the HITECH Act might not be as big of an issue the next time around.
Not quite three months ago, Sen. Patrick Leahy, D-Vt., introduced the Personal Data Privacy and Security Act, S. 1490, once again. Previous iterations of the bill have been before the Senate in 2005 and in 2007. Hogan & Hartson attorney Mark Paulding admits we can't predict whether the law will make it this time around, but he says its provisions could predict coming trends in privacy and security requirements.
Paulding points to several things that make this bill different from current data breach-notification laws. Of most importance, of course, is that this is a federal requirement, and it includes a comprehensive preemption clause. If it passes, the standards in this bill will trump those in state laws on the same subject as well as those set out in the HITECH Act, which became law earlier this year. He also notes that the bill provides criminal penalties for "knowing concealment of a security breach that results in economic damage to any person." Penalties can include fines and/or up to five years in prison.
The bill also includes a safe-harbor provision. Notification is not required, Paulding says,"if a risk assessment concludes that there is no significant risk of harm to individuals because the compromised data was encrypted or otherwise rendered indecipherable or inaccessible." The act requires the covered entity to send the risk assessment to the Secret Service within 45 days of discovering the breach. The final decision regarding whether the company can take advantage of the safe-harbor provision rests with the Secret Service.
The act also includes exemptions for companies participating in fraud-prevention programs, and authorizes federal and state law enforcement to seek civil enforcement of the act. Civil penalties up to $1 million per violation may be imposed.