Barriers to a Breach Notification LawConsensus Lacking on What the Statute Should Say
The often conflicting advice witnesses offered at a House hearing on legislation to nationalize data breach notification gave attendees an idea what Prussian statesman Otto von Bismarck meant when he observed: "Laws are like sausages; it is better not to see them being made."
The March 18 hearing didn't get ugly, but showed how messy lawmaking can be. Seven witnesses from government and industry testifying at the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade proffered a wide range of recommendations on what should be incorporated into the Data Security and Breach Notification Act of 2015. And not every witness believes such a law is needed.
The hearing was called to review a discussion draft of the bill that has been circulating around Capitol Hill this past week (see Seeking Compromise on Data Breach Notice Bill). Think of the testimony as the ingredients different chefs use to flavor the "sausage" - the provisions in the bill.
The testimony revealed fundamental challenges lawmakers must overcome if a national data breach notification law is to be enacted, including jurisdiction, penalties, defining personally identifiable information and the types of information to be protected.
Patchwork of State Requirements
Supporters of nationalizing data breach notification argue that having a single statute to replace the laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C. - would make compliance easier and less costly. "Having to comply with a patchwork of state requirements has created confusion and uneven protection even though a single breach rarely obeys state boundaries," says former Federal Trade Commission chairman Jon Leibowitz, who was testifying as co-chairman of the 21st Century Privacy Coalition, a group of communications companies.
But pre-empting state laws would weaken some consumer protections. About a dozen states' data breach notification laws, including one in Massachusetts, prescribe how data containing personally identifiable information should be secured (see Breach Bill: Adverse Impact on Privacy?). The draft legislation would nullify those requirements if enacted as written, and that "represents a significant retraction of existing protections for consumers at a time when such protections are imperative," Massachusetts Assistant Attorney General Sara Cable says. "Minimum data security standards are important and necessary, but the proposed standards leave consumers' data vulnerable."
Where Breaches Occur
SOURCE: Verizon 2014 Data Breach Investigations Report
While Massachusetts has the nation's most prescriptive law in requiring businesses to secure data containing PII, the draft bill calls on businesses to implement and maintain reasonable security measures and practices to secure information in electronic form against unauthorized access, a far less burdensome requirement. Still, Leibowitz points out, for more than three dozen states that don't require PII protections, the draft bill would strengthen privacy safeguards for many more consumers.
It's not just state laws that the draft bill would usurp. The discussion draft legislation would authorize the Federal Trade Commission and states attorneys general to enforce it, removing the Federal Communications Commission jurisdiction over communications companies it now regulates in regards to data breaches.
"The draft bill would alter this legal framework and leave gaps as compared to existing consumer protections," says Cleve Johnson, FCC chief counsel for cybersecurity, who adds that "the FCC actively enforces the data privacy and security provisions of the Communications Act and related rules."
But Leibowitz says enforcing the law should be left to the FTC and state AGs, noting that the regulatory strength of the FCC is in allotting and regulating airwave and wireless spectrum and not in enforcing security and privacy laws. The FTC has been enforcing privacy protections since enactment of the Fair Credit Reporting Act in the early 1970s, Leibowitz says. "The FTC should be the sole enforcer of data security because I think it does a really good job and has expertise and it's been concentrated on that for decades," he says.
Penalty: Insufficient or Punitive?
Another challenge lawmakers must overcome is to decide penalties to assess companies that fail to adhere to notification requirements. The discussion draft would allow the government to fine companies up to $2.5 million for each incident if they failed to comply with the law.
Cable, the Massachusetts assistant AG, characterizes the proposed penalty as insufficient. "Given the massive scope of recently-reported breaches affecting some of the largest companies in the country, a civil penalty cap of $2.5 million may be an insufficient deterrent, and could be treated as a cost of doing business." she says.
But Information Technology Council General Counsel Yael Weinman sees it differently, calling the $2.5 million penalty cap "punitive." She reminded lawmakers that "breached entities" that would be penalized are victims of a crime. "Organizations can and should do their part to protect consumer data from unauthorized access, but civil penalties that are five times higher than previous congressional proposals are seemingly punitive in nature and thus not appropriate to impose on an organization that has been victimized by criminal hackers," Weinman says.
The draft bill also would require notification to consumers no later than 30 days after the organization has taken "necessary measures" to determine the scope of the breach and restored the reasonable integrity, security and confidentiality of the data systems. State laws vary on when organizations must notify consumers of a breach. Many simply state that notification must be made in a reasonable amount of time; others have specific time limits.
"By requiring notice only when the entity both discovers a breach of security and determines that a reasonable risk of identity theft, economic loss or harm, or financial fraud has resulted or will result, the bill creates a disincentive for an entity to monitor their systems for potential compromises or vulnerabilities, an outcome directly at odds with the bill's stated purposes," Massachusetts' Cable says.
The draft legislation would require notification only if financial harm occurs, though 33 state and Washington, D.C., have breach laws that recognize various forms of non-financial harms to trigger notification, including exposure to personal medical information in seven states, says Laura Moy, senior policy counsel for the New America's Open Technology Institute, a digital rights advocacy group.
"This bill constitutes a step backwards for many consumers," Moy says. "The bill should leave room for states to require notification even in circumstances where the harm is not clear or is not financial in nature. Barring that, at the very least, the bill's trigger provision should be as inclusive as the most inclusive state-level triggers."
And Jessica Rich, FTC director of consumer protection, says the definition of PII should be expanded to include government-issued identification numbers such as drivers' licenses and passports that identify thieves seek.
But Leibowitz warns against enacting legislation that is too broad in scope. "What do hackers care about?" he asks. "They care about personal identification and the financial information. And what do consumers care about? They care about the Social Security numbers, they care about their financial information being taken, they care about economic harm more than anything else. And, that's what drives this problem."
Energy and Commerce Committee Chairman Fred Upton picks up on Leibowitz' theme of Congress enacting a narrowly focused bill. "By targeting the most sought-after personal information and the areas lacking current federal protections, this bill avoids controversial issues that have derailed past efforts," the Michigan Republican says. "Our goal is to create clear requirements to secure personal information from - and notify consumers in cases of - unauthorized access; the goal is not to broadly regulate the use of data."
Even with such narrow goals, no one is predicting quick enactment of the legislation. Most lawmakers as well as President Obama say they see the need for a national breach notification law, but as subcommittee Chairman Michael Burgess, R-Texas, points out such legislation has been before Congress for the past six years without coming up for a vote. It takes time to season sausage properly.
An earlier version of this story incorrectly stated the hearing was held on April 18. The hearing was held on March 18.