At the White House Summit on Cybersecurity and Consumer Protection at Stanford University on February 13, 2015, President Obama called for a single national data breach standard and for improved information sharing about threats to America's technology infrastructure between government and the private sector. In the past two months, Congress has responded with multiple bills to address these pressing issues.
First, the Data Security and Breach Notification Act of 2015 was passed by the House Energy and Commerce Committee on April 15, and was sent to the House floor. The Act would set a single national standard for data breach notification that would be enforced by the Federal Trade Commission ("FTC") and the states' attorneys general, and would preempt state data security and breach notification statutes. While the Act did make it out of committee, the vote was along party lines, including a no vote from the Act's Democratic co-sponsor.
States and privacy groups have criticized the Act for its broad preemptive effect, with the attorneys general of Massachusetts and Illinois voicing concerns at Congressional hearings about preempting the stronger standards of their own state laws. House democrats also objected to the high threshold when notification will be required (e.g., 10,000 affected individuals) as well as the narrow definition of what misappropriated "personal information" is sufficient to trigger a notification. Similarly, the Senate introduced The Data Security Act of 2015 on April 15, which also aims to set national standards for how companies investigate, respond to, and notify regulators and consumers of a data breach.
Second, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA) quickly received approval from the House Homeland Security Committee, and the House passed the bill on April 23 with significant bipartisan support, despite opposition from privacy advocates and consumer groups. The NCPAA expands the mandate of the Department of Homeland Security's already existing National Cybersecurity and Communications Integration Center to facilitate information sharing between the federal government and private entities. The bill provides legal privileges (e.g., immunity) for sharing cyberthreat information, and would give private entities license to monitor and defend their information systems for cybersecurity purposes.
The NCPAA was combined with the Protecting Cyber Networks Act, passed by the House on April 22, and sent to the Senate as a single piece of legislation. The Senate has their own cyberthreat information sharing bill (Cybersecurity Information Sharing Act of 2015) that they expect to vote on in the coming weeks. President Obama has been supportive of both the House and Senate bills and issued a Statement of Administration Policy supporting their passage.
Everett Monroe, a law clerk with Hanson Bridgett, assisted in authoring this post.