The ever-increasing threat of a data security breaches and cyber terrorism has given rise to an intense debate over the nation’s cybersecurity laws. Over the past several years, numerous federal data security bills have been proposed, but most were never enacted. Given the congressional inaction and the failure of the most recently debated proposal, a presidential Executive Order on cybersecurity is on the horizon. This article discusses the existing state and federal data security regulatory schemes in the United States, and the debate surrounding recent cybersecurity bills.
State Data Security Laws
Data breach notification laws have been enacted in 46 states, as well as the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and Guam. Four states—Alabama, Kentucky, New Mexico, and South Dakota—have no such laws. Though the data breach notification laws vary by jurisdiction, they generally require businesses to notify consumers whose personal information has been compromised by a security breach “in the most expedient time possible” or “without unreasonable delay.” See, e.g., Cal. Civ. Code § 1798.82; Conn. Gen. Stat. § 36a-701b; R.I. Gen. Laws 11-49.2-3.
A minority of states—including Massachusetts, California, Connecticut, Rhode Island, Oregon, Maryland, and Nevada—have also enacted laws requiring businesses to maintain data security standards to protect state residents’ personal information from being compromised. See 201 CMR 17.00 et seq.; Cal. Civ. Code § 1798.81.5; Conn. Gen. Stat. § 42-471; R.I. Gen. Laws § 11-49.2-2; Or. Rev. Stat. § 646A.622; Md. Code, Comm. Law § 14-3501; Nev. Rev. Stat. § 603A.210. The state data security laws, which are intended to protect against data breaches, typically require businesses to implement and maintain reasonable security measures.
The Massachusetts data privacy regulations, 201 CMR 17.00 et seq., which became effective in March 2010, are among the most comprehensive and burdensome of the state data security laws. The Massachusetts regulations go beyond most other state data security laws by requiring every “person” or entity—including businesses both inside and outside of Massachusetts—holding, processing, or otherwise accessing personal information of Massachusetts residents to:
- develop a comprehensive written policy outlining its physical, administrative, and technical information security measures;
- maintain extensive computer system security requirements (e.g., secure user authentication protocols/passwords, secure access control measures, monitoring of systems, up-to-date firewalls and virus/malware protection);
- encrypt all records containing personal information transmitted over wireless networks or stored on portable devices;
- require third-party service providers (e.g., payroll providers, outsourcers) receiving personal information, by contract, to maintain security measures in compliance with the regulations;
- train employees on compliance with data security policies; and
- regularly monitor and review security measures, at least annually, to ensure they are preventing unauthorized access to personal information.
When the Massachusetts data privacy regulations were enacted, some speculated that the regulations might become a model data security standard nationally. However, while several states—including Connecticut, Vermont, and Texas–have been active in amending their breach notification laws in the past few years, none have adopted the comprehensive requirements of the Massachusetts data privacy regulations.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI-DSS), is an information security standard established in 2004 by the major credit card companies that contractually requires merchants accepting credit, debit, and other payment cards to safeguard cardholder data. The PCI standards set forth extensive security requirements, including:
- build and maintain a secure network (e.g., maintain firewalls and secure passwords);
- protect cardholder data (e.g., through encryption);
- maintain a vulnerability management program (including updated anti-virus software and secure systems/applications);
- maintain strong access control measures;
- regularly monitor and test networks;
- maintain a written information security policy;
- train employees on compliance with data security policies;
- maintain an incident response plan; and
- monitor the PCI DSS compliance status of any service providers with whom cardholder data is shared, at least annually.
Some states, such as Nevada, have incorporated the PCI standards, including the encryption requirement, into their state data security laws. See Nev. Rev. Stat. § 603A.215. The failure to comply with state data security laws or the PCI standards could give rise to regulatory enforcement actions under unfair and deceptive acts statutes.
Federal Data Security Laws
During the past decade, Congress has enacted a number of laws governing data security in certain specific contexts, including:
- the Fair Credit Reporting Act (“FCRA”), which imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies;
- the Gramm-Leach-Bliley Act (“GLBA”), which mandates data security requirements for “financial institutions” (broadly defined to include banks, mortgage companies, insurance companies, financial advisors, investment firms, etc.);
- the Children’s Online Privacy Protection Act (“COPPA”), which requires covered website operators to maintain reasonable procedures to protect the personal information of children;
- the Health Insurance Portability and Accountability Act (“HIPAA”), which requires health care providers to maintain security standards for protected health information;
- the Health Information Technology for Economic and Clinical Health (HITECH) Act, which strengthens penalties for HIPAA violations and extends HIPAA violation liability to “business associates” to whom protected health information is disclosed (e.g., third-party administrators, accounting firms providing services to health care providers); and
- the FTC’s Red Flags Rule, which requires financial institutions and creditors holding consumer accounts to maintain a written identity theft prevention program.
Although many other data security bills have been proposed over the past few years, most were never enacted. Examples of recent legislative proposals include:
- the Data Security and Breach Notification Act of 2012, which would require companies to maintain “reasonable” security measures to protect personal information and would establish a uniform breach notification law;
- the Cybersecurity Act of 2012, which would create “cybersecurity performance requirements” and voluntary cyber threat information sharing standards among private sector companies operating critical infrastructure (e.g., energy, water, transportation);
- the Cyber Intelligence Sharing and Protection Act and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT), which would promote voluntary sharing of cyber threat information between private companies and the government;
- the Personal Data Privacy and Security Act of 2011, which would establish a uniform breach notification law and require businesses handling sensitive personal information of more than 10,000 individuals in the course of interstate commerce to maintain a comprehensive data privacy and security program; and
- the Data Security Act of 2011, which would require businesses to maintain “reasonable policies and procedures” to protect the confidentiality and security of sensitive personal information that they maintain or communicate.
In September 2012, the White House prepared a draft Executive Order on cybersecurity aimed at protecting the nation from cyber attacks, which would create information sharing mechanisms between private industry and government, and direct federal agencies to develop voluntary cybersecurity guidelines for power, water, and other critical infrastructure companies. Shortly thereafter, Senator John D. (Jay) Rockefeller IV—Chairman of the Senate Committee on Commerce, Science, and Transportation—sent letters to every CEO of the Fortune 500 companies stressing the “immediate” and “unprecedented” cyber threats the country faces, urging them to reconsider their positions on cybersecurity legislation, and requesting that they outline their cybersecurity practices and views on the Cybersecurity Act of 2012. The failure of Congress to pass the Cybersecurity Act of 2012 or other cybersecurity legislation makes it more likely that the White House will issue the Executive Order in the near future.
There currently is no federal statute imposing general data security standards on businesses in all industries. However, despite this, the FTC—taking the position that it has authority over “unfair and deceptive practices” related to data security—has brought numerous enforcement actions against companies alleging data security violations under Section 5 of the FTC Act, 15 U.S.C. § 45, which bars “unfair or deceptive acts or practices in or affecting commerce.”
There have been few challenges to the FTC’s authority to enforce data security laws, since prior cases have settled by consent orders before any significant litigation activity. However, a pending case, FTC v. Wyndham Worldwide Corporation, raises the unresolved question of the scope of the FTC’s authority to regulate data security in the absence of specific legislation. In this case, Wyndham moved to dismiss the FTC’s enforcement action on the ground that the Commission has no authority to establish and enforce data security standards under the “unfairness” prong of Section 5. A decision in Wyndham’s favor would undermine the FTC’s enforcement authority in the area of data security going forward.
The Cybersecurity Debate
In light of these developments, the cybersecurity debate has intensified in recent months. Some important questions raised include: Should further federal data security legislation, particularly that which regulates the nation’s critical infrastructure, be enacted? Should federal legislation be enacted establishing general data security requirements across all industries, and if so, what should those requirements be? Proponents of cybersecurity legislation and the anticipated cybersecurity Executive Order argue that “the threat is real and must be stopped.” In fact, recently, President Obama declared that “the cyber threat to our nation is one of the most serious economic and national security challenges we face,” and U.S. Secretary of Defense Leon Panetta warned of a “cyber Pearl Harbor,” an attack on U.S. critical infrastructure that would “cause physical destruction and the loss of life.”
Proponents further contend that “sophisticated adversaries could paralyze the nation with targeted cyber attacks on critical networks,” that some have already penetrated networks in the oil and natural gas sector, and that some companies operating critical infrastructure have ignored basic information security measures. They also argue that an Executive Order is necessary because “[t]he threats to our national and economic security are simply too great to wait for legislation.”
Opponents of the legislation and the Executive Order, including the U.S. Chamber of Commerce and many Republicans, believe that more regulation is not necessarily the answer to the cybersecurity challenges the country faces. While they agree that cyber terrorism threatens the nation and its economy, opponents argue that complying with legislation or the proposed Executive Order would be burdensome and costly for businesses. They also believe that unilaterally issuing an Executive Order would wrongly circumvent Congress on an important issue. Proponents of the legislation respond that “while there is a cost to doing more to improve cybersecurity, there is a bigger cost if we do not and that cost is measured not only in dollars, but in national security and public safety.”
More cybersecurity legislation is expected. In fact, according to new House Homeland Security Committee Chairman Michael McCaul (R-Texas), “cybersecurity legislation will be the top legislative priority for the committee” in 2013. While it remains to be seen what form that legislation will ultimately take, cybersecurity will no doubt continue to engender debate in the coming months.