Numerous data breaches in 2014 at big companies like J.P. Morgan Chase, the Home Depot, eBay, and, most recently, Sony Pictures have made cybersecurity even more important to consumers and especially the tech industry. The House and Senate kicked off the 114th Congress last week with hearings in three, separate committees on tackling the emerging problems of cybersecurity and data breaches. Testimony and questions before the House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade; House Science, Space, and Technology Subcommittee on Research and Technology; and Senate Homeland Security and Government Affairs Committee covered similar topics that will likely be addressed in legislation that could develop during this Congress.
Among the key issues is whether the federal government should impose a single, national data security requirement. Some panelists in the private sector advocated for a nationwide standard, noting that companies with operations in multiple states have to comply with a different set of security standards and notification requirements in each state. A single, standard also raises issues of whether federal law should preempt efforts that are already underway at the state level. Currently, there is a patchwork of data breach notification laws and requirements in 47 different states (all except for Alabama, New Mexico and South Dakota), as well as the District of Columbia, Puerto Rico, Guam and the Virgin Islands. Moreover, in just the first few weeks of this year, at least seventeen bills on this topic have been proposed in seven states. Many industry panelists identified their compliance burdens. However, privacy advocates and some industry panelists recognized that companies often aim to comply with the highest state standards for efficiency but also to prove to customers that they are serious about data security. In addition, a national standard could be set as a floor, not a ceiling, in order to preserve hard-won consumer protection. Some also said that legislation should be minimally preemptive regarding specific sectors, like healthcare and financial services, because preemption could water down existing protections that are already effective.
Regarding the notification requirements, many panelists noted difficulties in determining when consumers would have to be alerted and who in the company would be responsible for notifying customers and the government. A reasonability standard seem to be a recurring theme among panelists regarding a “harm trigger,” or what level of harm would be required before notification, and how long a company can take to investigate a problem before notifying the authorities and customers. Risk assessments can vary depending on the breach. Companies must first define the universe of the breach before they begin the process of sending out notices and making sure they are effective and do not end up in junk mail. However, many said that confirmation of the breach should be made first to law enforcement and regulators. Noting the risk of over-notification of customers, one panelist stated that H.R. 2221 from 2009 had reasonable language, but that Congress should be careful about over-notification and repeated privacy notices.
It is estimated that the global cost of cyber crime has reached over $445 billion annually. Some panelists noted that nation states or actors backed by nation states are the most significant threats to our country. These threats are sophisticated and persistent. Panelists frequently stated that greater information sharing between companies, law enforcement, and the public would be more effective for our national security. An estimated 70% of victims do not find out about breaches to their systems until someone else like the FBI tells them. Intruders can often spend over half a year in a network without being noticed. Some important aspects of information sharing would be real-time sharing, liability and disclosure protection, and ways to encourage sharing between companies as well as the federal government. Panelists also discussed reasonable penalties and whether there should be a private right of action.
Many panelists from industry echoed Energy & Commerce Subcommittee Chairman Michael Burgess (R-TX) that any federal standards should employ “flexible” data security requirements. Flexible standards would allow for adaptive compliance. It would also provide companies some confidence and put all companies on notice that if they do not keep up, they will be subject to federal enforcement. Crucial to any federal regime will be the protection of personally identifiable information (PII). Some panelists said that removing PII before sharing is very reasonable and in many cases already done by companies before they share information. Some suggested that legislation narrowly define what personal information can be shared with limited national security exceptions. One panelist suggested that PII should not be defined in a bill; instead, DHS should be tasked with defining the term through Notice & Comment and update the definition over time.
Some also singled out aspects of an effective enforcement regime. Currently state law enforcement officials coordinate with their federal counterparts, but some panelists suggested strengthening information sharing while also maintaining the authority of state attorneys general. There were also questions about whether one federal regulator should take the lead in this area. One panelist suggested giving the FTC rulemaking authority but allowing government agencies to coexist based on their unique expertise and regulatory authority.
Regarding the development of a bill this Congress, House Energy & Commerce Subcommittee Chairman Michael Burgess (R-TX) sought to highlight his work with Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT). Burgess prefers not going into areas beyond his committee’s jurisdiction (i.e. financial services or healthcare, which have their own standards). Democrats, like Congresswoman Jan Schakowsky (D-IL), noted that Americans benefit from a data-driven world but that consumers should not have to sacrifice their rights. Democrats are also concerned about preemption. Still, Burgess declared in his prepared remarks: “[T]he time to act is now.”