This week, President Obama called on the United States Congress to pass cybersecurity legislation by issuing a proposal of his own, which he plans to discuss during the State of the Union Address on January 20, 2015.
The President’s proposal aims to “clarify and strengthen the obligations companies have to notify customers” of a data breach by creating a federal standard, requiring companies to notify affected consumers within 30 days after a data breach is discovered. The proposal also encourages the sharing of cyber threats between the private sector and federal agencies by providing liability protection to participating companies. Additionally, the President’s proposal would give law enforcement agencies broader power to investigate and prosecute cybercrimes. Several existing laws would be modernized to cover cybercrime, including the Racketeering Influenced and Corrupt Organizations Act (RICO), whose provisions and penalties would be applied to cybercrimes, and the Computer Fraud and Abuse Act, which would be updated to cover corporate insiders who abuse confidential information.
Currently, 47 U.S. states and several U.S. territories have their own individual cybersecurity breach disclosure laws. State law protections differ, causing varied compliance responsibilities by companies that experience a data breach. For example, some laws allow companies an extension of time to notify consumers when disclosure could impede a state criminal investigation. See, e.g., Cal. Civ. Code §1798.82(c); Del. Code. tit. 6, §12B-102(c). Other state laws allow substituted notice when notification of a breach is cost prohibitive, or may limit notification to the residents of the state in which the breach occurred. See Mich. Comp. Law §445.72(5)(d); Mo. Rev. Stat. §107.1500(2)(6)(d); Va. Code § 18.2-186.6(A)(4).
So far Congress has been unable to agree upon a national cybersecurity standard. Importantly, it remains to be seen whether the business community views this proposal as streamlining the patchwork of state notification laws, or if a national standard is seen as creating additional regulatory burdens on businesses. Additionally, it remains uncertain whether federal agencies will have the exclusive authority to investigate cybersecurity breaches under the President’s proposal.