This bill, introduced as S.2289 in the Senate on 1.10.2018, creates an Office of Cybersecurity within the Federal Trade Commission (OCS-FTC), which is initially funded with $100 million. The OCS-FTC is tasked to take responsibility for oversight and implementation of the new law once it is in effect. The new OCS-FTC will create, issue, and distribute regulations that require covered entities to provide a complete overview of the technical and organizational security measures they have in place. This will include system and network security measures, network management and monitoring, application management to include continuous vulnerability assessment and remediation, and data security. It should be noted that data security as specified in the legislation is quite comprehensive and specifies format-preserving encryption for data at rest and in transit.
While the legislation is targeted at credit reporting agencies, the definitions of the covered data are broadly defined. The reality of the legislation is that any collected database of typical consumer data that is used for almost any purpose and is communicated to another party will easily fall under the definitions and applicability of the pending law.
Recently there have been many public and highly visible issues around cyberattacks and data privacy regulation. The European Community has implemented the General Data Protection Regulation (GDPR) and is likely to terminate the Privacy Shield arrangement with the United States. Couple this with the failure of industry to set and implement initiatives sufficient to provide adequate protection, as well as the recent Cambridge Analytica scandal, and it suggests a significant probability that this pending legislation could evolve into a national data protection and data privacy regulation similar to Europe’s GDPR.
The responsibility of any business that falls under the definition of a consumer reporting agency as specified in the legislation is straightforward. They must provide the OCS-FTC with information relating to security measures, demonstrate reasonable data protection measures, and promptly notify the FTC within the specified time window of a covered breach, which is not later than 10 days after the covered breach.
A breached covered under the legislation refers to any instance in which at least one piece of personally identifying information (PII) is exposed or is reasonably like to have been exposed to an unauthorized party. PII is broadly defined to include:
A social security number, driver’s license number, passport number, alien registration number, or some other government-issued unique identification number, such as an airline security (TSA) redress number;
Unique biometric data, such as a faceprint, fingerprint, voice print, iris image, or other unique physical representations (which we expect to also include DNA data although not called out specifically in the draft legislation at this time);
An individual’s first and last name or first initial and last name, in combination with any information that relates to the individual’s past, present, or future physical or mental health or condition, or to the provision of health care to the diagnosis of the individual;
Financial account number, debit card number, credit card number, or the passcodes or pin numbers required to access the referenced accounts; and
Any other information, as determined by the Director of the Office of Cybersecurity.
The OCS-FTC is tasked with tough enforcement. Not later than 30 days after the date on which the Commission receives notification of a covered breach, they are to commence a civil action to recover a civil penalty in a district court of the United States against the covered consumer reporting agency that was subject to the covered breach.
Penalties are specified as $100 for each consumer whose first and last name or first initial and last name and at least 1 item of personally identifying information was compromised, andan additional $50 for each additional item of personally identifying information compromised for each consumer.
Depending on the report and the database impacted, this could easily place fines ranging from hundreds of millions of dollars to billions of dollars for most credit reporting agencies – even the smaller ones.
The fine is ultimately limited to 50 percent of the previous years annual revenue or 75 percent if the covered entity failed to notify the OCS-FTC of the breach in a timely way, or if the covered entity violated any other regulation promulgated by the OCS-FTC (such as failure to meet the procedural and cybersecurity standards they create).
Let us take the example of a smaller credit bureau reporting agency. Suppose they have 6 million records. They have not installed end-to-end encryption and left the data vulnerable and out of compliance as determined by the OCS-FTS. The data was breached and included the consumer’s full name, social security number, and two credit card numbers. The penalty would include $100 for the consumer’s name and the social security number. The penalty would increase by an additional $100 in consideration of the two credit card numbers. $200 per consumer times the 6 million records would net out to a potential fine of $1,200,000,000! This fine would be limited to 50 percent (or 75 percent) of the firm’s prior year revenue, but that doesn’t provide much comfort.
The implications of the pending Federal Data Breach Prevention and Compensation Act are substantial for information technology, governance, compliance, and cybersecurity within the regulated entities. The OCS-FTC will specify cybersecurity infrastructure and require annual inspections and verification of adequate defense. The OCS-FTC is mandated to require the use of comprehensive encryption and will apply oversight to other key cyber defense technologies. It is incumbent on organizations that must be compliant to bring in the necessary cyber defense tools. This must include end-to-end encryption to protect data at rest, in transit, in use, and more to reduce the risk of a cyberbreach. You will need to harden your defenses, both on-premise and in the cloud.
Find out more how we can help you prepare for this legislation and the other global compliance requirements that impact data privacy, data protection, data sovereignty, and much more in the webinar. Watch the video now!