When Can We Expect a Federal Data Breach Notification Law?

Transcription

1 When Can We Expect a Federal Data Breach Notification Law? The Trials and Tribulations of Getting a DBN Bill through Congress. Alexi Madon Director of State Government Affairs, Midwest

2 Cybersecurity Overview The Cybersecurity Information Sharing Act (CISA) passed out of the Senate Intelligence Committee on a bipartisan 14-1 vote in March. It was introduced as an amendment to the National Defense Authorization Act (NDAA) in June, but failed to secure the 60 votes necessary for cloture. The Senate is likely to take up the bill later this year as a standalone bill, where Democrats will be able to introduce privacy-related enhancements. 2

3 Privacy Overview Surveillance Reform USA Freedom Act passed into law in early June, ending the NSA s bulk data collection program under Sec. 215 of the Patriot Act and adding an element of transparency to the process of the Government asking private companies for records. ECPA Reform In the wake of the passage of USA Freedom, support for ECPA reform is growing. House bill (H.R. 699) currently has 280 cosponsors. Privacy Legislation Very little support in Congress for any sort of privacy law overhaul at this time. However, trade negotiations with Europe could put the current EU-US Safe Harbor at risk and force our hand. 3

4 The Current State of Data Breach Laws 47 states and Washington, DC all have their own laws. Only Alabama, New Mexico and South Dakota don t have laws. Creates an incredibly difficult compliance problem, particularly for small businesses, to figure out what laws would apply in the event of a breach, especially in an increasingly mobile and cloud-based world. States also continue to update and change their laws, making it even MORE difficult to keep up. The number of breaches continues to increase, as does the need for federal data breach legislation. 4

5 A Brief History of Federal Data Breach Legislation Senator Diane Feinstein (D-CA) has been emphasizing the need for a federal data breach law since Her Notification of Risk to Personal Data Act made it out of the Senate Judiciary Committee in 2005 as part of a larger privacy bill and on its own in 2007, but never made it to the Senate floor for a vote. A similar bill (the Data Breach Notification Act) made it out of the Committee in both 2009 and Congressman Bobby Rush s (D-IL) Data Accountability and Trust Act (DATA) passed the House in 2009, but never made it out of the Senate Commerce Committee. In 2011, the Republicans took back the House, and momentum for data breach legislation stalled. 5

6 The Target & Neiman Marcus Breaches In December, 2013, Target and Neiman Marcus announced massive data breaches that compromised the data of tens of millions of customers. These breaches received major media attention and hit millions of Americans who had never given a thought to the possibility of having their data stolen. The general public was now acutely aware of the risk of data breaches. 6

7 Congress Responds In early 2014, a number of data breach bills were introduced and hearings were held, but the momentum ultimately stalled when it became clear that Republicans had a good chance of taking the Senate in the 2014 elections. In 2015, several old data breach bills have been re-introduced, but there are several brand new bills as well. Hearings were held in both the House and Senate earlier this year, though things have, again, gone quiet in recent months. 7

8 Current Data Breach/Data Security Bills Senate House S.177 Data Security and Breach Notification Act of 2015 Nelson (D-FL) S.1027 Data Breach Notification and Punishing Cyber Criminals Act Kirk (R- IL) & Gillibrand (D-NY) S.1927 Data Security Act of 2015 Carper (D-DE) & Blunt (R-MO) Warner (D-VA) draft bill H.R Personal Data Notification and Protection Act of 2015 (D-RI) H.R Data Security and Breach Notification Act of 2015 Blackburn (R- TN) H.R Data Security Act of 2015 Neugebauer (R-TX) 8

9 Can Anything Actually Pass? Bills need true bipartisan support to stand a chance. Compromise is key. The aforementioned H.R passed out of the House Energy & Commerce Committee in April, but on a partisan vote. The lone Democratic co-sponsor, Peter Welch (D-VT), ultimately voted against the final version of the bill. House Rs & Ds are still working together to get a version of the bill that both sides can support. A new bill is expected imminently. In the Senate, John Thune (R-SD), the Chair of the Senate Commerce Committee, may co-sponsor Senator Warner s bill, giving it bipartisan support. 9

10 Points of Contention/Barriers to Passing a Law Data Security Obligations Definition of Personally Identifiable Information Harm Required for Notification? Civil Penalties/State Enforcement 10

11 Data Security Obligations This debate has evolved over the last couple of years. Debate is no longer about whether data security obligations should be included in a federal law, but how they should be: enumerated requirements vs. industry best practices. 11

12 Definition of Personally Identifiable Information Should the definition be able to evolve over time? Should the FTC be given the authority to change it? Should it include health information not covered by HIPAA? Should it include or username plus a password? 12

13 Harm Required for Notification? Two common standards for when companies must notify after a breach: When PII has been or is reasonably believed to have been accessed or acquired; or When there is significant risk that the breach has resulted in, or will result in, identity theft, economic loss or harm, physical harm, or fraud. 13

14 Civil Penalties/State Enforcement Maximum penalties range from $500K to $5M for failure to notify following a breach. Some, but not all, bills instruct that penalties should be tailored for the size and complexity of the business entity and the nature and scope of its activities. Most bills allow state attorneys general to enforce the federal statute, but there are concerns about companies getting penalized on both the state and federal level for the same violation. 14

15 Other Barriers to Passage Fights over jurisdiction Judiciary vs. Commerce vs. Finance This time around, Judiciary has largely sat out the battle, but the Commerce and Finance committees are arguing about who has the proper jurisdiction to pass a data breach bill. 15

16 Best Case Scenario? House E&C re-introduces a new version of H.R that garners bi-partisan support and ultimately makes it to the House floor. Hypothetical Warner/Thune bill garners bipartisan support and is introduced as an amendment when CISA is argued on the Senate floor. 16

17 Questions?