Could a national data breach law be just around the corner? President Obama's call for a Personal Data Notification and Protection Act during his State of the Union (SOTU) may be just the kick the 114th Congress needs to hammer out legislation by midyear.
Addressing the Federal Trade Commission (FTC), the agency that has aggressively pursued companies that it feels have not properly safeguarded customer data, a week before delivering the SOTU, the President envisioned a national law that would clarify and strengthen “the obligations companies have to notify customers when their personal information has been exposed.” A key part of that law would be “a 30-day notification requirement from the discovery of a breach.”
National data breach legislation would set a federal standard for defining the parameters of a breach and the timeframe in which companies must report a breach to law enforcement authorities and consumers. The hope among many business groups is that a national law would also preempt an unmanageable patchwork of 47 state laws and instead replace them with a uniform set of statutes that companies would have to follow.
If the national law is enacted, companies will benefit from “the certainty of a single, national standard,” the White House said.
“We support a national data breach bill so companies can respond to breaches in a consistent manner,” says Tiffany Jones, senior vice president and chief revenue officer at iSIGHT Partners, a Dallas-based security firm.
Jones (left), who has testified before Congress on the growing malware threat landscape and the need for national data breach legislation, says companies can spend millions of dollars complying with all the state laws. Tack on the cost of a breach, the cost for cleanup, lost revenue and lost market share, and Jones says there's very strong sentiment in the business community to finally get something done this year.
Lobbyists from groups such as the Direct Marketing Association and National Retail Federation would love to get a bill done this year, but they are realistic. Officials from these trade groups readily acknowledge that they've been building coalitions to support national breach legislation for nearly 10 years now, but some say following the high-profile Target, Home Depot and Sony hacks of the past year, this time could be different.
“It's become very complicated for companies to comply with all the different state laws,” says Rachel Nyswander Thomas, vice president of government affairs for the Direct Marketing Association, one of the trade groups leading the charge for national legislation for the past decade. “With all the cases of new breaches in the news, it has become clear that both consumers and businesses have become victims. Plus, companies are global let alone national.” She adds that the need for a national standard would reduce some of the complexity.
Dave Frymier, chief information security officer at Unisys Corp., a global information technology company based in Blue Bell, Penn., says the Sony hack may be a taste of what's ahead. Lost in the uproar over the release of the movie The Interview were the hacks into Sony's corporate offices and intellectual property.
“In the past we've had to worry about nation-states stealing intellectual property or organized crime groups that were in it for the money, but the Sony hack was different,” he says. “This was a case of disruption of operations for political or ideological purposes.”
On the optimistic side, those who argue for a national law point to general agreement at both the state and national level as to what constitutes a breach. Just about every state law and the many competing national bills define a breach as when a person's name is compromised electronically along with one or more of the following pieces of personally identifiable information: a Social Security number, driver's license number or financial account number, such as a bank card or credit card.
OUR EXPERTS: Federal breach law
Mike Brown, VP & GM of the global public sector, RSA
Sen. Tom Carper (D-Del.) Dave Frymier, CISO, Unisys Corp.
George Jepsen, attorney general, state of Connecticut
Tiffany Jones, SVP and chief revenue office, iSIGHT Partners
Rachel Nyswander Thomas, VP of government affairs, Direct Marketing Association
Jonathan Spruill, managing consultant, incident response - U.S., Trustwave
Unfortunately, that's where the agreement stops. While the Direct Marketing Association (DMA), National Retail Federation (NRF) and various business groups are pushing hard for a clause that would preempt the 47 state statues on the books, attorneys general have expressed concern that a national law could inhibit state efforts to effectively respond to breaches.
“I've found that the state attorneys general are not crazy about a national law,” says Jonathan Spruill, managing consultant, incident response - U.S., at Trustwave, who adds that states can't just wait around for a national law to pass, plus they are concerned that any national law would be watered down and ineffective.
George Jepsen, the state of Connecticut's attorney general, for example, favors national legislation, but remains concerned about preemption. “I would welcome strong and comprehensive federal legislation in this area, particularly given the national scope of some of the data breaches we have seen and, unfortunately, are likely to see again,” Jepsen says. “However, it would be a critical mistake for federal law to supplant state enforcement authority. It would be counterproductive to reduce the number and effectiveness of regulators who can combat data breaches.”
States are vital, experienced and active participants in responding to these breaches and other privacy violations, he adds. “There is enough enforcement work to go around, and we can be most effective by working as partners among the states and between the states and the federal government.”
One bill that many believe has some legs is the bipartisan legislation developed by Sen. Tom Carper (D-Del.) (right) and Senator Roy Blunt (R-Mo.). Known as the Data Security Act, if enacted into law it would require companies to notify federal agencies and consumers of a breach that affects more than 5,000 consumers.
Senator Carper says that while Congress waits, the frequency and severity of the attacks grows. In a statement prepared for SC Magazine, Carper says that he and Sen. Blunt have proposed legislation during several consecutive Congresses that would update and streamline the nation's standards for protecting Americans from fraud and identity theft.
“As hackers and their operations become more sophisticated, our security measures must evolve as well,” points out Sen. Carper. “The approach Sen. Blunt and I take, which has bipartisan support, would ensure that businesses and government agencies manage personal and financial information more securely and that they respond quickly and effectively if and when a breach occurs. The longer we wait to act, the greater the risk of damage to Americans and American businesses. I hope that a new year brings a new focus on this issue that will allow us to move forward on smart legislation that will offer greater protection for companies and consumers alike.”
While many agree with the general parameters of the bill, the proposed Carper-Blunt law would give the FTC rule-making authority while the trade and business groups want all specifications written into the law. In some ways, that may make sense.
Some issues yet to be worked out include the timeframe companies are required to report a breach. The Carper-Blunt bill does not specify a timeframe and leaves it up to the specific regulator overseeing the institution where the breach occurs. Which leads to another unresolved issue: which branch of government should be notified? For example, should companies first notify the FBI or the Department of Homeland Security? On the other hand, the Secret Service has been given a great deal of responsibility to investigate hacking attacks and it's still unclear what their role would be. The Carper-Blunt bill just says that the regulating agency will determine which law enforcement agency needs to be informed. Clearly, some of these issues need to be sorted out.
Obama's proposal advocates a 30-day reporting deadline but is otherwise short on details. Ken Westin, senior security analyst with Tripwire, hailed the president's efforts in comments sent to SC Magazine, but cited trust and privacy challenges of private industry collaborating with law enforcement. “When a breach has occurred companies may think twice before contacting law enforcement when there is a compromise, at least delaying their response to law enforcement due to the new notification requirements,” he says. “If they reach out to law enforcement for assistance in investigating a breach, would the ‘30 day shot clock' for breach notification kick in at that point? Would there be a line of communication with law enforcement where information can be exchanged in confidence?”
Noting that companies may have good reason not to notify within 30 days, Westin says, “These are all items I believe that will need to be hashed out before this is rolled out.”
Besides the point?
Still, there are those who say that a national data breach law is besides the point. “The problem I have with a national data breach law is that the horse is out of the barn by the time a company does a breach notification,” says Frymier of Unisys.
“The Sony hack is a good example of why breach legislation primarily oriented toward notification alone can't be the answer,” Frymier says. “The goal of the Sony hack wasn't monetary; it was to embarrass. No notification was needed because it was already out there. What Sony really needed was better security.”
That's why Mike Brown (left), VP and GM of the global public sector at security company RSA, says national data breach legislation is merely one piece of the puzzle. First, both the House and Senate passed – and President Obama signed into law – the Cybersecurity Enhancement Act of 2014, which authorizes the National Institute for Standards and Technology to develop voluntary guidelines for cybersecurity. The new law promotes cybersecurity research, private/public sector collaboration on cybersecurity, and education and awareness of technical standards.
Along with the Cybersecurity Enhancement Act, Congress also passed – and President Obama signed into law – an update to the Federal Information Security Management Act, better known as FISMA. The update gives the Department of Homeland Security a clear oversight role in federal cyber efforts, as well as authorizes federal agencies to deploy automated security tools to fight cyber attacks.
“I know it's easy to be cynical – and Congress certainly doesn't have a strong recent track record – but our progress at the end of the year gave me some cause for optimism,” says Brown.
He says he's hopeful that the end-of-the-year success could lead to what he views as four important pieces of IT security legislation. The first two, the Cybersecurity Enhancement Act and FISMA are in place. Next up for 2015 is data breach and information-sharing legislation. Diane Feinstein (D-Cal.) was quoted in the press at the end of the year saying that she plans to re-introduce the Cybersecurity Information Sharing Act when the new session convenes, and Senators Lindsey Graham (R-S.C.) and John McCain (R-Ariz.) have expressed support for another law that would encourage companies and federal agencies to share information about cyber attacks.
So what's going on here? Can it be that Republicans and Democrats will actually put their partisan differences aside and do what's best for the country when it comes to cybersecurity? It's possible that there's enough consensus that the problem is severe enough that something has to be done. On the other hand, it's always possible that cybersecurity could become the political football that net neutrality deteriorated into last year.
First things first. On national data breach legislation, the Direct Marketing Association's Thomas says much has changed. Number one, people have the benefit and experience of having worked on this issue for 10 years. Number two, especially with all the news around the Sony hack, there's finally a chance that business interests can align with privacy advocates on identity theft and get something done for the country. And finally, as RSA's Brown points out, national data breach legislation is part of a comprehensive effort by lawmakers to pass a series of common sense laws around cybersecurity.
Add to that Obama throwing in support to kickstart the legislative process and this Congress may be able to do what the 113th Congress and others before it could not: pass a reasonable, bipartisan national data breach law.
While the consensus for action builds, many in the security industry, government and private sector are hoping that leaders will stay proactive and cybersecurity remain bipartisan and not another opportunity to score talking points in the daily news cycle. If that happens, the Sony hack really will be the beginning of a dangerous new escalation of cyber attacks – and business and government still won't have a uniform way to respond.
State breach laws: Are there too many?
Law firm Baker and Hostetler, which has 14 offices nationally, keeps a running chart of all the state data breach statutes. While state laws vary on the need for a risk of harm analysis and requirements to notify the state attorney general, here's a quick look at how state laws are all over the map when it comes to notification.
California: Under the state's Medical Information Specific Breach Notification Statute, for the vast majority of licensed clinics, health facilities, home health agencies and hospices, the law requires licensees to notify both affected patients and the California Department of Health Services no later than 15 business days after the unauthorized access, use or disclosure has been detected by the licensed medical facility.
Connecticut: All entities licensed and registered with the Connecticut Insurance Department are required to notify the agency of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five calendar days after the incident is identified.
Florida: Notice of a breach must be provided without unreasonable delay; no later than 30 days; law enforcement can delay notification.
Maine: If after the completion of an investigation notification is required, the notification may be delayed for no longer than seven business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.
Ohio: Notice must be provided in the most expedient time possible but not later than 45 days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement.
Vermont: Notice of the security breach to a consumer shall be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery.
Wisconsin: Notice shall be provided within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity.