The fallout from major data breaches has pushed various members of Congress to propose yet another batch of data breach notification bills. Many of these proposed pieces of legislation simply recycle iterations of the bills introduced in earlier congressional sessions. Others contain a few new twists, but it comes down to a question of whether or not Congress can rally around at least one bill and pass federal data breach notification.
Recent events may provide the impetus needed to get such a bill over the finish line. The Target breach has led to a number of different stakeholders calling for change in the form of federal legislation. Why now, you might ask?
For starters, the Target breach exposed over 70 million credit cards. While not the largest data breach in history (the NASDAQ breach discovered in 2007 exposed over 160 million credit and debit cards), many consumers shop at Target and place trust in the retailer when they hand over their credit card to make a purchase. This breach incident has arguably raised the awareness level of many more consumers than prior breaches.
Perhaps more importantly, this breach has called into question some of the "self-regulating" mechanisms in the credit card industry -- in particular the Payment Card Industry Data Security Standard (PCI DSS). Many people agree that PCI DSS arose as a result of the credit card industry wanting to avoid federal regulation. The theory was that a system comprising a security standard coupled with self or third-party audits would increase the security of the overall system. Critics have pointed out that many breaches have occurred at entities that had been deemed PCI-compliant. In the case of Target, lawsuits have been filed by issuing banks against the Qualified Security Auditor responsible for performing Target's audit (and also provided some of Target's real-time security monitoring).
The big question now centers on whether Congress can pass a national data breach law (or any other type of cybersecurity legislation). In order to analyze that question, let's take a look at historical aspects of this issue.
Liability beyond hackers
A little over ten years ago, I wrote an article for this publication about the then-new data breach notification law in California that widely became known by its bill number -- Senate Bill (SB) 1386. Many in both the privacy and security communities hailed it as a significant step forward in the battle against the "hackers" -- no longer would companies be able to legally not report data breaches that affected personally identifiable information. The introduction of the bill was directly related to the escalating data breaches that had been occurring, including one at a data center housing personal information on California state employees. This led to the drafting and passing of the first data breach notification law.
Most states have followed suit with their own data breach notification laws, with many requiring additional proactive duties that focus on having reasonable security measures to protect personal information.
The prospect of federal legislation inspired companies to band together and launch a number of efforts intended to show that the industry could self-regulate.
While SB 1386 became quite well known, a somewhat lesser-known cybersecurity legislative event occurred in 2003. A freshman congressman from Florida, Adam Putnam, floated a draft bill that would have required companies to report on their cybersecurity posture. The prospect of federal legislation inspired companies to band together and launch a number of efforts intended to show that the industry could self-regulate. In 2004, cybersecurity blogger Brian Krebs, who at the time worked as a reporter for the Washingtonpost.com, hosted an online chat with Rep. Adam Putnam (R-Fla.), which included the following exchange:
Brian Krebs: … [Y]ou came close to introducing a bill that would require public companies to verify that they have met certain cybersecurity standards. You later decided to delay that legislation to give the tech industry time to come up with an alternative. Why did you decide to delay your bill?
Rep. Adam Putnam: … I came to the conclusion that I had raised the point and the awareness sufficiently in the boardrooms so that the private sector would take IT security seriously. If they can come up with a plan that establishes sound practices, adhered to by the industry, I would support such a meaningful security plan even if it did not require direct federal law. There were also concerns about writing technology standards into the law that would be obsolete soon.
If you are a glass-half-full person, the number of cybersecurity bills that have been proposed in Congress show that cybersecurity legislation has progressed quite a bit since Rep. Putnam's efforts. If you are a glass-half-empty person, the lack of passed cybersecurity legislation in light of the increasing number of compromises possibly indicates that (a) Congress can't get its job done (at least in the area of cybersecurity) or (b) the boardrooms have not, in fact, become aware of the severity of the issue. Unfortunately, the situation can't be so easily simplified from a historical perspective and needs to be explored in a bit more detail.
Can of worms
Sen. Dianne Feinstein introduced the first federal data breach notification bill in 2003 and has introduced several more since then, including another one in the current Congress.
As a threshold matter, cybersecurity differs from a number of other legislative initiatives. Despite the fact that GLBA (financial services) and HIPAA/HITECH (healthcare) contain cyber components and were passed many years ago, cyber concerns don't just exist in these discrete vertical industries. Instead, cybersecurity should be viewed as a more horizontal concept that actually cuts across (at varying degrees) all industry verticals. This makes the creation of a ubiquitous standard or passage of a comprehensive law a complicated endeavor. The latter also assumes, however, that improving the current state of cybersecurity in our country requires passage of a federal law. Not everyone agrees with that proposition or, if a law is needed, what form it should take.
Laws related to cybersecurity generally take one of three forms. First, there can be sector-specific laws, such as those that have already passed in financial services and healthcare. Sector-specific laws, however, only affect a limited number of stakeholders and cover a variety of topics besides cyber, arguably making them easier to pass. Second, cyber bills can be narrowly focused on just one particular topic, such as data breach or social security number protection. Third, cyber bills can be focused on a broad range of cyber (and other information security) topics, what I tend to call "omnibus" cyber bills.
Debates continue over which type of bill might fare better in Congress. As just one example in the "narrow" category, Sen. Dianne Feinstein (D-Ca.) introduced the first federal data breach notification bill in 2003 and has introduced several more since then, including another one in the current Congress. None have passed. In contrast, several omnibus bills have been introduced (with the concept being that cyber doesn't get to the floor of Congress often, so when it does it should try to cover as much ground as possible). None of those have passed either.
Whether a bill will pass in the future depends on a number of different factors. First, the bill will need to preempt all other existing state laws. What use is an overarching federal law if the patchwork of state data-breach laws still exists? Second, the bill will need to garner support across a number of different committees that all claim jurisdiction over cybersecurity. Note that we haven't even covered any of the substantive issues yet. For example, any data breach notification bill would need to garner agreement among a majority on issues such as:
- Whether a private right of action should exist that would give individual plaintiffs the ability to sue (i.e., a separate cause of action than negligence);
- What the trigger should be for notification (strict liability, severity of harm standard or something else); and
- Whether data breach notification is the most important privacy issue or whether something else (e.g., mobile location services) have a higher priority.
In addition, although consumers are more aware of the issue of data breach and how it affects them, many also know that their exposure is relatively low due to the $50 liability limit under Regulation E: Electronic Funds Transfers.
Political developments in this area would also seem to be directly and indirectly increasing the pressure for Congress to enact some sort of federal legislation. For example, the passage by the House of the Cyber Intelligence Sharing and Protection Act in April of last year marked a significant step forward in the area of data protection legislation. While it didn't get any further than the House, and mainly involved the sharing of threat data (i.e., it wasn't a breach notification law), it certainly stood as a wake-up call that a law at the federal level could happen in the foreseeable future.
From a slightly different political direction, the Federal Trade Commission and two industry trade groups (retail and banking) recently testified before the Senate Homeland Security and Governmental Affairs Committee. Their message resembled that of many other stakeholders: The government needs to take action sooner rather than later on both federal data breach notification and information sharing legislation. The trade groups stated the desire to reach common ground on a set of recommendations in the next six to nine months.
Will we get a federal data breach notification law in the next year? Cybersecurity and data protection are very complex topics that have many moving parts. Getting them all moving together has proven to be an impossible task for over 10 years. Recent events, however, have raised the buzz to a level I cannot recall over my career in this area. That doesn't mean things will be different legislatively, but hopefully (for any number of reasons) I won't be writing another article 10 years from now saying, "It's been over 20 years since the first state data breach notification law went into effect…"
Randy V. Sabett, J.D., CISSP, is special counsel at Cooley LLP (www.cooley.com), and a member of the boards of directors of ISSA NOVA and the Georgetown Cybersecurity Law Institute. He was a member of the Commission on Cybersecurity for the 44th presidency, was named the ISSA Professional of the Year for 2013, and can be reached at firstname.lastname@example.org. The views expressed herein are those of the author and do not necessarily reflect the positions of any current or former clients of Cooley or Mr. Sabett.
Send comments on this article to email@example.com.