Clients often ask whether we think a particular piece of privacy, data security, consumer protection or similar legislation will be passed by Congress. And, more often than not, the answer is no. I’d like to be more optimistic, but the failure of Congress to pass a federal data security breach notification law has always been the perfect example of why enacting any similar privacy and data security laws at the federal level is so difficult.
It is perplexing why such a law has yet to be enacted. The current system is clearly broken. With the exception of Alabama, Kentucky, New Mexico and South Dakota, every state as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands has enacted legislation requiring notification to consumers, law enforcement, regulators, and/or credit bureaus of security breaches involving personal information. This complex patchwork of laws makes responding to data breaches a complicated and resource-draining nightmare for businesses. A single federal data security breach notification law could make that nightmare much less painful for affected businesses, who would almost certainly support a single set of rules with nationwide scope. Further, such a law, like the existing state laws, should help to mitigate identity theft and protect consumers whose personal information has been compromised. And, seemingly, it should be relatively uncontroversial, bi-partisan legislation that even a dysfunctional Congress could pass. Moreover, data breaches are becoming more and more prevalent as businesses struggle to defend against sophisticated cyber criminals and consumers increasingly conduct significant facets of their lives through computers, mobile devices and other interconnected “things” (see our blog post on security risks and the Internet of Things).
Yet the U.S. still does not have a comprehensive breach notification law. Perhaps 2014 is the year it finally changes. If so, we will be able to thank the criminals behind the massive breach of consumer and credit card information held by Target over the holidays and the efforts of Senate Judiciary Committee Chairman Patrick Leahy. Leahy recently re-introduced Senate Bill 1897, the Personal Data Privacy and Security Act, a comprehensive information security bill that he has floated in each of the previous four Congresses. The timing of the massive Target breach and the reintroduction of the bill do not appear to be a coincidence. “The recent data breach at Target involving the debit and credit card data of as many as 40 million customers during the Christmas holidays is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our nation,” Leahy said in a Jan. 8 statement.
Leahy’s bill would replace the patchwork of state data breach notification rules with a uniform federal standard and would require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats. The bill also would amend the Computer Fraud and Abuse Act to expand punishments for identify theft crimes and provide a specific offense for aggravated damage to a critical infrastructure computer. Also, the Federal Trade Commission would be authorized to write and enforce rules requiring companies to protect “personally identifiable information” and to notify consumers in the event of a breach, and violators might face up to $500,000 in civil penalties.
Is 2014 finally the year for federal data security breach legislation? The stars seem to be aligned.