Data Breach Legislation – Creating a Federal Standard
Whatever your political viewpoints may be on the dividing line between federal and state responsibilities, or the interpretation of the 10th Amendment to our Constitution, there is no question the Framers saw an important role for the federal government. To test everyone’s knowledge in this area, don’t forget the Framers were drafting the US Constitution in the aftermath of the failed Articles of Confederation experiment, which had exposed the weaknesses in leaving certain unifying functions to individual states.
With that history lesson in mind, it is frustrating from a personal standpoint to see Congress still struggling with crafting legislation to provide a federal response to data breach notification and security legislation. This is an issue that I worked on when I was on Capitol Hill nearly ten years ago. It is the quintessential federal issue that should be resolved and enacted.
Each week we hear about a new data breach against a major company caused by hackers or lapses in consumer data security. Every consumer faces a serious risk of identity theft and financial fraud from criminals who have a variety of motivations, some for political reasons, others for financial gain, and others just because they want to disrupt the American economy.
Currently, 47 different States have adopted laws dealing with data breach notification and 12 State laws governing commercial data security. This patchwork of State laws creates compliance nightmares for companies that need consistency and predictability in responding to breach requirements and securing their systems after a breach.
Unfortunately, this patchwork of state-by-state regulation has not improved consumer protection and may in fact increase the risk of cyber-motivated crimes because hackers can exploit vulnerabilities that exist because of the lack of uniform system standards. Hackers may have a greater ability to engage in phishing attacks or other techniques.
We all have experienced, at one point or another, the headache from identity theft requiring us to protect our accounts, replace debit/credit cards, and monitoring our accounts for unusual activity. In the end, consumers are burdened with higher fees and costs created by the failure to stop hackers and other cyber-criminals.
A federal response to this problem is required. One that includes the following principles and purposes:
- Companies have – and should continue – to implement reasonable security measures for personal information.
- Companies have to notify consumers within a short period of time about the breach of consumer data, whether caused by a hacker, or some security failure.
- The federal government should delegate enforcement authority for federal data breach requirements to the appropriate federal agency, probably the FTC.
- State Attorneys General should also be able to enforce violations, require compliance and/or seek civil penalties for violations.
- Companies should be required to notify the FBI or the Secret Service when a breach involves a certain number of consumers.
- Third-party entities that store or process information for a company should be required to promptly notify the company if there is a breach.
One of the difficult issues that has snagged Congressional efforts to address this issue is whether to create a private right of action under the statute so that class actions or other consumer-based lawsuits can be filed against companies for failing to follow the requirements. Inevitably, this is a political issue that pits trial and class action lawyers against corporate interests.
Hopefully, this issue can be resolved and legislation enacted – consumers need a unified standard to protect their information and companies need some safe harbors for protection of personal information and breach notification requirements.