The House Subcommittee on Commerce, Manufacturing and Trade today held its first hearing of the 114th Congress in order to begin work on developing federal data breach legislation. Pre-hearing memos suggested that any data breach notification law would be primarily concerned with protecting consumers. However, under the guise of preventing so-called “over notification,” all but one witness served to protect business interests, urging Congress to limit notifications to those in which malicious intent is imminent.
Three of the four witnesses stressed the importance of writing “harm triggers” into the data breach law that would effectively allow businesses to stay mum about breaches in which the exposed data posed no apparent risk of future harm to affected consumers. Just one testifier noted that it is nearly impossible to forecast future malicious intent and argued that consumers have the right to know about any breach of their personal information regardless of perceived intent or malicious potential.
The hearing aimed to define the elements of a single, flexible data breach notification law on the federal level. The bill would not address the health care or banking industries, which already have data breach notification laws in place. However, it would seek to establish triggers and timetables for notifying customers following a breach, determine whether a data security requirement would help limit the impact of breaches, define what sorts of exposed information are most likely to lead to identity theft and financial fraud and to reduce the complexity associated with existing laws while preventing customer over-notification. A draft notification bill should emerge sometime in the coming months.
Earlier this year and in his State of the Union address, President Barack Obama called on Congress to develop a bill that would standardize the requirements for when companies must notify customers of data breaches.
"I'm announcing new steps to protect the identities and privacy of the American people." —President Obama #Cybersecurity
— Barack Obama (@BarackObama) January 12, 2015
Presidential cybersecurity coordinator Michael Daniel explained in a Whitehouse.gov blog that the president’s proposal on security breach reporting would help consumers protect themselves against identity theft while also encouraging businesses to improve cybersecurity to better prevent identity theft.
“[Existing state] laws require businesses that have suffered an intrusion to notify consumers, if consumers’ personal information has been compromised,” Daniel explained. “The Administration’s updated proposal helps businesses and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain data breach reporting requirements into one federal statute, and it puts in place a single, clear requirement to ensure that companies notify their employees and customers about security breaches on a timely basis.”
The Electronic Frontier Foundation was critical of the administration’s proposed legislation, calling it weaker than the current status quo. The EFF explained that most states already have data breach notification laws in place and that the president’s proposed legislation also infringes on states’ rights to protect their citizens in a number of places.
“The legislation proposed by President Obama would force companies handling 10,000 or more customers’ information (during a 12-month period) to disclose data breaches within 30 days,” EFF legislative analyst Mark Jaycox and staff attorney Lee Tien wrote. “Companies are allowed a few exceptions to the disclosure, but will be overseen by the Federal Trade Commission to ensure they comply. In an attempt to normalize across the land, the law would trump all state data breach laws—including stronger ones—and allow the government to stop any action brought by a state attorney general.”
Ultimately, both Congress and the president’s proposals intend to standardize the existing 47 separate state data breach laws into one federal law.
Rep. Frank Pallone (D-NJ) spoke to the EFF’s concerns in his opening statements, noting that he would not support any bill deemed to be weaker than his or any other state’s existing breach notification standards.
Elizabeth Hyman of Tech America stressed the difficulties that organizations — most of which are involved in interstate commerce — face under the current patchwork of notification standards. The federal standard, she said, must overwrite all existing statutes. Hyman’s preference would be to essentially limit the amount of information shared about breaches with customers. She said that organizations should only be required to notify their customers about a data breach if the exposed information can be used to commit fraud or other crimes.
Brian Dodge of the Retail Industry Leaders Association, seemed interested in protecting organizations as well, stating that companies should not be forced to pay civil penalties unless they are limited to covering the real-world losses imposed upon breach victims. He also agreed with Hyman, arguing that organizations should not be forced to reveal information from data breaches unless it could be exploited by criminals in ways that would harm those affected.
To the contrary, Woodrow Hartzog of Stanford’s Cumberland School of Law stepped out of the line established by the expert testimony preceding his. He cautioned against limiting consumer breach notification based on malicious intent, calling harm triggers dubious because it is difficult to draw a line of causation between stolen data and future harm. Meeting the burden of proof that harm is likely, Hartzog said, is nearly impossible. Hartzog pushed back on the idea of over-notification, saying we simply do not yet live in a world where consumers will suffer from data breach notification fatigue.
Hartzog also cautioned lawmakers against building a preemptive bill that undercuts the efficacy of existing laws. Finally, he said, any federal statute must not deprive states of their ability to regulate data security standards in their own state.
“We need a plan in place that will help prevent data from being stolen in the first place, and will also alleviate consequences for consumers if hackers are successful,” said subcommittee chairman Michael C. Burgess, M.D. (R-Tx). “I am encouraged by the president’s recent focus on this issue and call for a national standard, and I agree. Working toward a federal data breach solution is a top priority for our new Congress. Data security will be the focus of our subcommittee’s first hearing as we drill down on what components should be included in a bill that will give consumers the peace of mind they deserve.”
The hearing also waded into which government agencies should oversee data breach notification regulation. Perhaps more interestingly, experts and congressional officials alike questioned who is responsible for notifying customers of a breach after user data has passed from one entity, presumably having some relationship with the consumer, to another that the consumer may not even know about.