The proposed Data Accountability and Trust Act (DATA) would create a national data privacy law that would undoubtedly change the enterprise data privacy and data protection landscape.
In this Q&A, David Navetta, founding partner of the Information Law Group, discusses the specifics of the proposed law and key similarities and differences with existing state data breach laws. Key topics include the legal standard for "risk of harm" as well as the cost implications relating to penalties and free, credit monitoring and call centers. Enterprises will also get brief guidance on what to do now to prepare for the likelihood of a national data privacy law.
0:45 - DATA Overview
2:50 - Comparison with state breach laws
5:15 - "Risk of harm" provision
7:20 - Penalties and fees
10:25 - What will the final bill look like?
12:40 - How should enterprises prep for DATA?
Transcript - Data Accountability and Trust Act
Eric Parizo: Hi, I'm Eric Parizo. It's great to have you with us. Joining me today is David Navetta. He is the Founding Partner of the Information Law Group. David, thanks so much for being here with us today.
David Navetta: Thanks for having me.
Eric Parizo: David, the Data Accountability and Trust Act, or DATA, is a proposed bill that would create a national data privacy law. Before we delve into specifics, can you touch on an overview of how a law of this nature could change the data privacy and data protection landscape?
David Navetta: This law actually does three different things, big category things. First of all, it creates a set of security standards and requirements, which doesn't really exist, except for Massachusetts law. It creates a separate category of duties for data collectors and information brokers, companies that buy and sell essentially information. It also has, what I think is the big part of it, the different breach notice requirements. I'm not going to focus in on the breach notice requirement because you could talk about the statute forever otherwise.
To just take a step back, we've got breach notice requirements laws in 45 different states, District of Columbia, Puerto Rico and a couple other jurisdictions along those lines. The big thing that this law would do, a federal law, it would be to preempt all of those state laws. So, instead of having 45 or more different requirements to look at if you've suffered a breach involving the residents of all 50 states, you would have one law, and one standard to deal with. So, that by itself has a big potential to create a different kind of regime breach notice.
You can get into the details about what would change later, but I think that preemption aspect is huge. Now, kind of where the jury is out, is whether or not this is going to result in more reporting or less reporting. Is it good for business? Is it good for consumers? I think that the way that the bill passed the House, I think, in December is drafted, there are things that the consumer side of the equation will like and things that the business side will like and vice versa.
And so, I think there's still a fairly long road before something gets passed because as people start getting deeper into the law, you're going to have those two business and consumer groups kind of butting heads. I'm not sure exactly what will end up being passed, or if anything. It definitely has the potential to shake up the breach notice landscape.
Eric Parizo: What are the key similarities between data and the existing state data breach laws?
David Navetta: On the similarity side, so there are some similarities between the definition of personal information required, usually, first initial and last name and a combination of account numbers and social security numbers, and what have you. There's a law enforcement hold. Law enforcement says they're in the middle of an investigation. You cannot report in that context. Encryption is also still an issue. So, if the data has been encrypted under the proposed federal law, that would also offer safe harbor, although it's a little different because it only offers presumption that the data wasn't actually harmed or there was no risk of harm.
For instance, if someone could prove that the encryption key was left on your desk, encryption by itself wouldn't actually save you in this case. So, those are kind of the big picture similarities.
Some of the differences are it requires notice 60 days after discovery. There are a couple of state laws that require some sort of time limit after discovery for notice to go out. This one requires 60 days notice to the FTC. A couple in another area that's huge; it requires a 1-800 number for people to find out more information about the breach as well as two years of credit monitoring which no state breach notice laws require either call centers or credit monitoring. It also requires or allows for penalties of up to $11,000 per violation, and the bill says that each individual that wasn't provided notice could be considered a violation. There's a cap on that of $5 million.
Those are the big kind of similarities and differences that I think, again, going back to the original question, it will probably impact how this law actually applies. The other big one is risk of harm. There is a fairly high risk of harm obligation here. You don't have to report if you can show that there's no reasonable risk of identity theft, and the risk of harm threshold here is actually much higher than many state laws which I think we can talk about in a second. I think it will potentially impact the reporting that gets done on this law if it ever passes.
Eric Parizo: David, can you talk about the risk of harm provision in the bill and what that would mean for an organization?
David Navetta: This is one where I think the business side will probably be happy and the consumer side will not be happy. The risk of harm, as I said before, is if you can show that there's no reasonable risk of identity theft, there's no obligation to report. The way we have it now there are 45 state laws, as I said earlier, and the risk of harm thresholds in those laws… Of course, some of them don't have risk of harm. They just say, if there's been unauthorized access or reasonably suspected unauthorized access to personal information, you have an obligation to report.
Others do have higher risks of harm, and what that effectively means is that compared to, say, a state with a low risk of harm threshold the federal law applies. In the old state regime, the residents in that state would have gotten a diversity notice and in the new regime they will not get notice. So, that's in a nutshell what is going to happen. There's also a dynamic that actually existed with the 45 state laws that I think will also significantly impact the number of people that get notice if the federal bill is passed.
Under the state laws what would happen, if you had residents of 50 states in your database and their data was breached, you would look at basically the state with the lowest harm threshold and say, "Well, yeah, in this state I need to report, so therefore I'm just going to go report all of the states." The reality is you may not have had a duty or an obligation to report in a good number of those other states because their threshold may have been very high, much higher than the lowest one. So, using this lowest common denominator type of theory, I think effectively more people will receive a notice than they would have.
Now, if you change to a federal law where there's one standard, the lowest common denominator aspect no longer exists. You just have one standard. If it's not met, there's no notice, including the states with the lower threshold that existed previously. So, that also, I think, will cause potentially less reporting in the current state breach notice.
Eric Parizo: The bill also comes with increased costs for credit monitoring and call centers as well as penalties and fees. Can you talk to us about what that means?
David Navetta: Let's talk about penalties first. So, I think that the risk of harm threshold has a tendency potentially resulting in less reporting under the state laws. Now, the fines and penalties, however, $11,000 per violation, up to $5 million. Well, that's a potential stick to get people to actually be a little bit more careful about doing their due diligence, making the determination when there's a reasonable risk of identify theft, et cetera, et cetera, because if they don't and they get it wrong, well, they're going to be liable potentially for huge penalties and fines.
So, that kind of counterbalances the risk of harm threshold because you know, at least, when you suffered a breach, you're going to take it very seriously to avoid the analysis, to avoid those penalties. So, that's probably something the consumer side likes and the business side wouldn't like. Again, I think this is why the law has a ways to go because there are these kind of countervailing factors that both sides might have disagreement with in a given situation.
The other aspect that you wanted me to talk about was the call centers and the credit monitoring. Now, this one, in my opinion, changes the game in a way that potentially was against reporting. Let me tell you why, credit monitoring for two years. I negotiated rates in some of these credit monitoring programs, and I've gotten it down to like, $10 a year or something like that. But if you bought it off the retail market, it can be $15 a month. So, there's a wide range of costs as far as credit monitoring is concerned. So, you've got two years of that.
Let's just throw a number out there and say it costs $100 for two years, which is a pretty conservative number. Let's say your breach involved a million people. A hundred times a million, that's a big, huge monumental cost for any organization, big or small.
Same sort of multiplier effect happens with call centers. Call centers often price based on the volume of calls that are intended to come in. Now, it says you can set up a 1-800 number, but if you suffer a huge breach, what organization has a 1-800 number that's going to be ready to accept hundreds or thousands of calls. So, again, let's say a dollar per call per person in a breach that you have to pay. So, again, a million people, a million dollars.
These are huge costs, and from my point of view as an organization, if you're an organization and you're trying to figure out whether you need to report, well, when you see millions of dollars of potential credit monitoring call center costs, it's hard to find reasons not to report frankly and obviously you can do it within the law.
So, I think that's another factor that businesses don't like that aspect of it. I'm sure the consumer side does like that and again, this is the challenge. How are we going to reconcile these kind of competing factors that go into this law? Will we ever get to something between the Senate and the House that actually addresses all of these issues, makes some sense but is fair to both sides?
Eric Parizo: So, should a federal law be enacted? How would it differ or how should it differ from what data actually proposes today?
David Navetta: I think you need to take a very hard look at the credit monitoring call centers. First of all, does it even have help is the first thing. You should probably do some studies to figure out whether that kind of cost is actually effective. That's the first question.
Then, perhaps if you're going to have it in there, maybe some different thresholds. Maybe, if actual identity theft has been proven to have been suffered by some of the people that were in the breach, then you have to require the call center to do credit monitoring. I just think those costs are astronomical, and smaller businesses, medium businesses there's no way they can afford it in this economic environment. Who's going to want to put that kind of burden on businesses?
As far as preempting law, in the federal law and state law, I think there's some benefit there to have one standard. It creates probably some efficiency in reporting. I think the risk threshold needs to be looked at and determine whether that's the proper threshold or not. There have been some studies and some indications that a lot of these breaches don't result in much identity theft, so it will result in no reporting whatsoever. Is that all right? I'm not sure.
I think all of the kind of extremes that exist in there now need to be looked at and carefully considered and define the penalties as well per violation. So, if you send something in the letter that you sent to the person and that technically may be a violation of the statute, is that $11,000 you're owe for every one you do? I think you have to be very careful when you start popping those big numbers. You have to make it very clear when those numbers and when those fines and penalties are going to apply.
I think there's a long way to go. The Senate Judiciary Committee, I believe, passed a version of this bill. It hasn't passed the full Senate yet, so I think we're still a ways out before we find something that is even close to getting passed because I think there's going to be a reconciliation process. Again, it could change if there's a different Congress or a different administration. So, even though it passed the House, I still think we've got a ways to go before we get something that would be palatable to various competing interests.
Eric Parizo: Finally, from a legal perspective, what should enterprises do today to prepare for the likelihood of a national data privacy law?
David Navetta: I think right now I would just keep my eye on legislation to the extent that maybe, some of the issues that we talked about today impact your business. Perhaps, get active also on the consumer side. Get active in trying to help craft a bill. I don't want to slag on legislators, but these days security and privacy issues are very complex. You often just find bills that seem to go out there where maybe, not much thought behind what the impact of them will be.
I think when you're passing something on a federal national level, you've got to make sure that you've got it right. You've got to balance all those competing considerations. For organizations right now, the only thing you can do is get involved in that process and organizations and individuals in consumer groups are the ones that have the true knowledge at this point. So, I would recommend in preparation to contact your Congress people, contact various organizations that are interested in these issues and give your opinion essentially.
Eric Parizo: David Navetta, Founding Partner of the Information Law Group, thanks so much for joining us today.
David Navetta: Thanks so much for having me. I appreciate it.
Eric Parizo: And thank you for joining us as well. For more information on security videos, feel free to visit searchsecurity.com/video. I'm Eric Parizo. Stay safe out there.