Once the smoke and dust clears from the latest enormous data breach, the fried servers are hauled away and the ritual IT department purge takes place, the focus seems to turn to the lack of any comprehensive national data breach law. Although certain sector specific breach notification laws are in place, such as HIPAA/HITECH in the health information realm, most businesses in the U.S. remain subject to a jigsaw puzzle of 46 different state laws.
At present, only Alabama, Kentucky, New Mexico and South Dakota lack a notification law. And even New Mexico and Kentucky are considering dipping their toes in these waters, albeit more reluctantly on the part of Kentucky (since its law would only cover state agencies, not businesses). This thicket of state laws is a huge ordeal for businesses, since the notification triggers, timing and notice content requirements can vary widely.
So is an all-encompassing national data breach notification law merely a quixotic quest? In January 2014, for the fifth time since 2005, Senator Patrick Leahy (D-VT) introduced legislation entitled the Personal Data Privacy and Security Act. The main provisions of the 2014 version of the PDPSA include:
- applies to businesses that compile, access or process information on 10,000 or more U.S. individuals;
- notice after a security breach must be made to affected individuals within 60 days of discovery;
- media notice is required if 5,000 or more individuals in any one state are affected;
- notice need not be provided if the entity determines that there is no significant risk of harm or fraud to individuals (but the FTC must concur with the risk assessment);
- the Act does not preempt the rights of states to provide for state specific additional victim protection information to be provided in the notice; and
- notice to federal law enforcement is required under various thresholds.
While you have to admire Sen. Leahy’s persistence, it’s not hard to see some problems with the proposed legislation. The risk assessment provision alone looks like it could be a particular morass. The fact that a government agency must concur with any risk assessment inevitably will lead to confusion, delay and uncertainty on whether notification is required for a particular breach.
Moreover, since the law does not 100% preempt state data breach notification laws, but leaves in some of the notice content requirements, businesses will still have to apply the notification laws of the various states. In other words, the PDPSA could potentially make it even harder for businesses. Not to mention the multi-tiered approach to notifications, including possible media notice and law enforcement notice.
Senator Tom Carper (D-Del.) has also introduced national data breach legislation. Carper’s bill, the Data Security Act of 2014 (DSA), includes some key differences from Sen. Leahy’s competing bill. The DSA would completely preempt state data breach notification laws. Additionally, the DSA is broader, as it would apply to any entity that maintains or communicates sensitive account or personal information.
Under the DSA, consumer notification is required if the sensitive information “is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates.” Substantial harm includes not only material financial loss to the consumer, but also “significant time and effort” by the consumer to correct erroneous credit information. This last prong seems to open a can of worms regarding consumer inconvenience.
So where do these proposed national data breach laws now stand? – mired in committee. Leahy’s bill is with the Senate Judiciary Committee, which he chairs. In the meantime, Carper’s bill has been assigned to the Senate Banking, Housing and Urban Affairs Committee.
In fact, it is the different legislative fiefdoms which are part of the problem. There are too many congressional committees claiming jurisdiction over cyber security and data breach issues. Another data breach bill, sponsored by Sen. Pat Tommey (R-PA) back in 2013, is before the Senate’s Commerce Committee. Without a singular focus at the committee level, it is hard for a particular bill to gain traction.
In addition to congressional dysfunction, other roadblocks to national legislation include competing interest groups. Consumer groups are concerned that an all-encompassing federal law could be watered down in the legislative process and end up weaker than some of the existing state laws. On the other hand, business interests are looking to minimize costs associated with data breaches, and therefore seek to limit the circumstances where notification is required, such as only when there is clearly a risk of theft or fraud to a consumer.
So despite recent well-publicized data breaches, and even urging by U.S. Attorney General Eric Holder for a strong national breach notification law, it seems unlikely that Congress will pass a data breach law in the foreseeable future. In the meantime, businesses will continue to grapple with the complexities of the numerous state laws, while at the same time trying to ward off the persistent threat of hackers, criminals and careless employees.