RIMS supports ‘unified standard’ across United States for cyber privacy breach notification

As Canadian politicians debate a proposed privacy breach notification law, Risk and Insurance Management Society Inc. suggested Tuesday it supports a “unified standard” south of the border, of rules mandating notification whenever a data security breach results in an unauthorized release of private personal information.

“There are currently 47 different state data breach notification laws in place,” RIMS stated in a press release Tuesday of breach notification rules in the United States. “This has proven onerous for commercial insurance buyers whose organizations operate in multiple states and must comply with several different laws whenever a cyber-breach is experienced.”

In Canada, Bill S-4, the Digital Privacy Act, was passed last year by the Senate and is currently before the House of Commons. Originally tabled in 2014 by British Columbia Conservative Senator Yonah Martin, Bill S-4 was subject to hearings before the Commons industry, science and technology committee this year. If passed into law, Bill S-4 would require companies to tell clients when personal information has been lost or stolen, said Mike Lake, parliamentary secretary to Industry Minister James Moore, in the Commons last year.

“Organizations would face fines of up to $100,000 per client they fail to notify that the data breach has occurred,” Lake said at the time of Bill S-4. It was last debated May 12 and has yet to pass third reading in the Commons.

In the United States, two versions of the Data Security and Breach Notification Act of 2015 are before Congress. If passed into law, it would essentially establish rules, nation-wide, for notification of incidents where personal information is compromised.

“Reducing redundancies in the cyber breach reporting process as opposed to having to report them state-by-state will allow risk professionals to assess the situation faster and implement more effective response plans,” RIMS president Rick Roberts (pictured below) stated in a release Tuesday.

RIMS is a non-profit organization, with 10 chapters in Canada, representing more than 3,500 organizations in more than 60 countries.

The Senate version of the Data Security and Breach Notification Act “establishes criminal penalties of a fine, imprisonment for up to five years, or both, for concealment of a security breach that results in economic harm of at least $1,000 to an individual.”

A RIMS spokesperson told Canadian Underwriter Tuesday that RIMS does not take a position “on aspects relating to criminal penalties,” adding that both the House and Senate versions “establish a national standard for notification (and preemption of the 47 different state laws), which is our point of emphasis and support.”

In order to be signed into law by the president, the same version of a bill has to be approved by both houses of Congress.

Last January, Bill Nelson (a Democrat representing the state of Florida) tabled the Senate version, which was referred at the time to the commerce, science and transportation committee.

Then on April 14, Marsha Blackburn (a Republican representing the 7th District of Tennessee) tabled a different version in the House of Representatives. The House version is currently before the subcommittee on commerce, manufacturing, and trade of the House committee on energy and commerce.

That bill would “expressly preempt any related State laws to ensure uniformity of this Act’s standards and the consistency of their application across jurisdictions.”

The Senate version proposes to supersede any state law that “requires information security practices and treatment of data containing personal information” similar to those proposed under Section 2 of the Senate version. It would also supersede any state law requiring notification to individuals of a breach of security as defined in section 6 of the Senate version.

Both versions propose “one unified standard and procedure for breach notification,” RIMS stated Tuesday. “This increased efficiency and simplicity for RIMS’ membership is the reason that Society supports this proposal.”

The House version proposes to require entities to investigate breaches to determine whether there is a “reasonable risk” that the breaches either have or will result in identity theft, economic loss, economic harm of financial fraud to the persons whose information was compromised. They would be required to notify any U.S. resident whose personal information was breached, unless there was “no reasonable” risk.

It also proposes to require – in cases where there is “reasonable basis to conclude” that more than 10,000 persons’ records were breached – that the covered entities notify, within 10 days, the U.S. Federal Trade Commission (FTC) and the Secret Service or Federal Bureau of Investigation.

The House version proposes that civil penalties per violation would not exceed $2.5 million.

If passed into law, the Senate version would require the FTC “to promulgate regulations” requiring companies and other entities that possess personal information “to implement information security policies and procedures for the treatment and protection” of that information. The “covered entities” would also include contractors who process such data.

The Senate bill would also require “covered entities,” to notify FTC of breaches unless they have already notified a federal entity designated by the Department of Homeland Security.