hacking the current system: congress’ attempt to pass data...

437

HACKING THE CURRENT SYSTEM:

CONGRESS’ ATTEMPT TO PASS DATA

SECURITY AND BREACH NOTIFICATION

LEGISLATION

Brett V. Newman

TABLE OF CONTENTS

I. Introduction ......................................................................................... 438 II. Background ......................................................................................... 439

A. Data Breach History .................................................................... 439 B. State Action Concerning Data Breaches ...................................... 441 C. Executive Order ........................................................................... 443 D. Federal Action Concerning Data Breaches .................................. 443 E. Recent Action .............................................................................. 444

III. Analysis ............................................................................................... 445 A. Bills of the 113

th Congress .......................................................... 446

1. Cybersecurity Act of 2013 (enacted as the Cybersecurity

Enhancement Act of 2014) .................................................... 446 2. Cybersecurity Information Sharing Act of 2014 ................... 447 3. Personal Data Privacy and Security Act of 2014 ................... 449 4. Data Security Act of 2014 ..................................................... 450 5. Data Security and Breach Notification Act of 2014 .............. 450 6. Personal Data Protection and Breach Accountability

Act of 2014 ............................................................................ 451 B. Recent Action .............................................................................. 453

1. Personal Data Notification & Protection Act ........................ 453 2. Data Security & Breach Notification Act of 2015 ................. 454

C. Points of Agreement and Inconsistency ...................................... 455 1. State Preemption .................................................................... 455 2. Response Method and Time for Notification ........................ 455 3. Data Security Practices .......................................................... 456

IV. Recommendation ................................................................................ 457 V. Conclusion .......................................................................................... 460

B.A. Economics, University of Illinois, 2011; J.D., University of Illinois College of Law, 2016

(expected). I would like to thank Carol Hayes, Professor Jay Kesan, and the editorial staff of the Journal of

Law, Technology & Policy for their help with my Note.

438 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015

I. INTRODUCTION

Over the past ten years, an average of roughly 221,000 records have been

breached per day.1 As the world becomes more technologically connected,

businesses collect an increasing amount of information from consumers.2

Businesses are susceptible to data breaches, placing an increasing amount of

consumers’ personal information at risk.3 The Privacy Rights Clearinghouse

4

has recorded 4,599 data breaches made public since 2005.5 This list of data

breaches accounts for a staggering 858,403,517 breached records.6 Some

breaches have been as big as 200,000,000 records, in the case of Court

Ventures,7 and there have been several other breaches of tens—and even

hundreds—of millions of records.8

Despite the wave of massive breaches and legislative action on the part of

many states, there is no comprehensive federal law for data security and breach

notification.9 The private sector has also failed to take appropriate action in

response to the massive breaches.10

In a 2014 survey of 567 executives in the

United States, only 73% of them reported that his or her company had a plan in

place for data breaches.11

Pressure to pass legislation to solve these issues has come from several

branches of government. In the 2015 State of the Union address, President

Barack Obama said, “I urge this Congress to finally pass the legislation we

need to better meet the evolving threat of cyber attacks, combat identity theft,

and protect our children’s information. That should be a bipartisan effort. If

we don’t act, we’ll leave our nation and our economy vulnerable.”12

Federal

Trade Commission Chairwoman Edith Ramirez stated, “[n]ever has the need

1. See Chronology of Data Breaches: Security Breaches 2005 – Present, PRIVACY RIGHTS

CLEARINGHOUSE, http://www.privacyrights.org/data-breach (last visited Sept. 7, 2015) (showing 858,403,517

breached records since 2005).

2. Prepared Statement of the Federal Trade Commission on Privacy in the Digital Age: Preventing

Data Breaches and Combating Cybercrime Before the Comm. on the Judiciary, United States Senate, F.T.C

(Feb. 4, 2014) (statement of Edith Ramirez, Chairwoman of the Federal Trade Commission).

3. Id.

4. The Privacy Rights Clearinghouse is a non-profit corporation that raises consumer awareness of

privacy issues with technology and advocates for consumers’ privacy rights. About the Privacy Rights

Clearinghouse, PRIVACY RIGHTS CLEARINGHOUSE, https://www.privacyrights.org/content/about-privacy-

rights-clearinghouse (last visited Sept. 7, 2015).

5. PRIVACY RIGHTS CLEARINGHOUSE, supra note 1.

6. Id.

7. Grant Gross, State AGs Investigating Experian Subsidiary’s Data Breach, CIO (Apr. 3, 2014, 8:00

AM), http://www.cio.com/article/2377365/data-breach/state-ags-investigating-experian-subsidiary-s-data-

breach.html.


9. At the federal level, there are merely industry-specific data security laws. Muricio F. Paez et al.,

U.S. Congress Ready to Enact Data Security and Breach Notification Rules After Recent Consumer Data

Breaches, JONES DAY (Feb. 2014), http://www.jonesday.com/us-congress-ready-to-enact-data-security-and-

breach-notification-rules-after-recent-consumer-data-breaches-02-14-2014.

10. See PONEMON INSTITUTE, IS YOUR COMPANY READY FOR A BIG DATA BREACH?: THE SECOND

ANNUAL STUDY ON DATA BREACH PREPAREDNESS 1 (Sept. 2014) (showing that 27% of companies surveyed

did not have a data breach response plan in place).

11. Id.

12. President Barack Obama, State of the Union Address (Jan. 20, 2015) in 156 CONG. REC. H415

(daily ed. Jan. 27, 2010).

No. 2] HACKING THE CURRENT SYSTEM 439

for [data security and breach notification] legislation been greater.”13

This Note contemplates the passage of a comprehensive breach

notification and data protection law, and it examines how Congress may gain

bipartisan support by navigating the delicate balance between data breach

regulation and privacy concerns. Part II provides a history of recent data

breaches in the United States, as well as legislative and executive action taken

to address the problems caused by breaches. Part II also examines state action

taken to address problems caused by data breaches. Part III analyzes the

potential effectiveness and viability of several recent bills proposed by

members of Congress that address the growing concern of data breaches, and it

identifies what prevented the bill from passing. Part IV recommends a

compromise by compiling useful sections of proposed legislation to create a

comprehensive bill that will allow a valuable breach notification and data

protection law to be passed while maintaining a high level of privacy.

II. BACKGROUND

In order to determine what legislation is needed, it is important to first

examine the problem. This section identifies the recent data breaches in the

United States, and it assesses what Congress and the President have done to

remedy the problem. It also examines what most states have done on their own

to address data breaches.

A. Data Breach History

The Privacy Rights Clearinghouse’s 4,599 reported data breaches since

2005 includes fifty-six breaches of over a million records.14

These breaches

have compromised the personal information of millions of customers and put

many Americans at risk of identity theft.15

The threat of future breaches is

causing Congress to move quickly to pass a federal breach notification and

data security law.16

In December 2013, Target became the victim of a data breach.17

The

Target hack affected tens of thousands of in-store credit card readers, which

thieves used to steal credit and debit card information from customers.18

The

damages from the breach were massive. The hack compromised approximately

forty million credit card and debit card accounts, and up to seventy million

people were victims of “additional stolen information.”19

Target admitted that

it missed warning signs prior to the attack, and it faced breach-related costs of

13. Ramirez, supra note 2.


15. Paez et al., supra note 9.

16. Id.

17. Robin Sidel et al., Target Hit by Credit-Card Breach, WALL ST. J. (Dec. 19, 2013, 7:29 AM),

http://online.wsj.com/articles/SB10001424052702304773104579266743230242538.

18. Id.

19. Anthony Wing Kosner, Actually Two Attacks in One, Target Breach Affected 70 to 110 Million

Customers, FORBES (Jan. 17, 2014, 10:32 PM), http://www.forbes.com/sites/anthonykosner/2014/01/17/

actually-two-attacks-in-one-target-breach-affected-70-to-110-million-customers.


$148 million in the second quarter of 2014.20

Victims of the hack sued Target, and a federal judge in the United States

District Court for the District of Minnesota granted preliminary approval for a

ten million dollar settlement.21

The settlement would authorize individual

damage awards for as much as $10,000, but each customer would have to show

(1) they had unauthorized credit card charges, (2) they invested time dealing

with unauthorized charges, and (3) they incurred expenses replacing

identification, correcting their credit report, or obtaining identity protection.22

However, proving that a customer lost money due to a specific breach can be

difficult.23

In 2014, Home Depot also had a massive breach of its payment data

systems,24

and fifty-six million credit and debit cards were hacked over a five-

month period.25

After this attack, the hackers used stolen credit card numbers

to make fraudulent purchases across the United States, and some customers

had money drained from their accounts.26

Hackers have even taken advantage of the Apple Pay27

system to use

stolen credit card numbers from Target and Home Depot hacks.28

While the

Apple Pay system has not itself been compromised, the hackers have used the

system to buy items with stolen credit card information—the majority of these

fraudulent Apple Pay purchases were to buy high-priced items at Apple

stores.29

In August 2014, JP Morgan Chase fell victim to a cyber attack that

compromised its customers’ personal information, including names, addresses,

email addresses, phone numbers, and internal information.30

The attack

affected seventy-six million households and seven million small businesses.31

20. Rachel Abrams, Target Puts Data Breach Costs at $148 Million, and Forecasts Profit Drop, N.Y.

TIMES (Aug. 5, 2014), http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-

million.html.

21. Hiroko Tabuchi, $10 Million Settlement in Target Data Breach Gets Preliminary Approval, N.Y.

TIMES (Mar. 19, 2015), http://www.nytimes.com/2015/03/20/business/target-settlement-on-data-breach.html.

22. Id.

23. Id. (“Matthew A. S. Esworthy, litigation partner at Shapiro Sher Guinot & Sandler, said that many

customers would have trouble proving that they had lost money because of the breach.”).

24. Maggie McGrath, Home Depot Confirms Data Breach, Investigating Transactions from April

Onward, FORBES (Sept. 8, 2014), http://www.forbes.com/sites/maggiemcgrath/2014/09/08/home-depot-

confirms-data-breach-investigating-transactions-from-april-onward/.

25. Robin Sidel, Home Depot’s 56 Million Card Breach Bigger than Target’s, WALL ST. J. (Sept. 18,

2014), http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571.

26. Robin Sidel, Fraudulent Transactions Surface in Wake of Home Depot Breach, WALL ST. J. (Sept.

23, 2014), http://www.wsj.com/articles/fraudulent-transactions-surface-in-wake-of-home-depot-breach-

1411506081.

27. Apple Pay is a payment system that allows customers to pay for items at participating stores using

their iPhone instead of a physical debit or credit card. Apple Pay, APPLE, https://www.apple.com/apple-pay/

(last visited Sept. 8, 2015).

28. Robin Sidel & Daisuke Wakabayashi, Apple Pay Stung by Low-Tech Fraudsters, WALL ST. J.

(Mar. 5, 2015), http://www.wsj.com/articles/apple-pay-stung-bylow-techfraudsters-1425603036.

29. Id. (noting that 80% of the fraudulent purchases were made in Apple stores to buy “big ticket

items”).

30. Maggie McGrath, JP Morgan Says 76 Million Households Affected by Data Breach, FORBES

(Oct. 2, 2014), http://www.forbes.com/sites/maggiemcgrath/2014/10/02/jp-morgan-says-76-million-

households-affected-by-data-breach.

31. Id.


In the past few years, several other substantial breaches have occurred,

including eBay,32

Jimmy John’s,33

and Adobe Systems,34

and it is unclear how

many people these immense breaches affected.

Anthem, one of the largest health insurance companies in the United

States, is also a recent victim of a data breach.35

The Anthem hackers accessed

Eighty million customers’ records, including their birthdays, addresses, and

social security numbers.36

Anthem revealed the attack only days after it was

discovered, which is not typical for organizations after experiencing a breach.37

Anthem planned to notify affected customers by email, if possible, and by

mail.38

Millions of records per year continue to be exposed by hackers, and the

high-profile breaches mentioned are only a fraction of the total breaches.39

The prevalence of data breaches and the wide range of targets puts most

people’s data at risk—credit card numbers and other information may be stolen

when a customer uses a credit card at a store, and their personal information

can also be taken from an online database.40

These security risks have pushed

states to take action, and the President and Congress have also responded.

B. State Action Concerning Data Breaches

States have been the first to act regarding data breaches, and nearly all of

them have passed data breach legislation.41

State action is only increasing—

thirty-two states have introduced or are considering data breach laws,42

compared to twenty-three states that introduced or considered data breach laws

in 2014.43

In 2003, California was the first state to require businesses and state

32. Gordon Kelly, eBay Suffers Massive Security Breach, All Users Must Change Their Passwords,

FORBES (May 21, 2014), http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-

breach-all-users-must-their-change-passwords.

33. Josh Beckerman, Sandwich Chain Jimmy John’s Reports Data Breach, WALL ST. J. (Sept. 24,

2014), http://online.wsj.com/articles/sandwich-chain-jimmy-johns-reports-data-breach-1411588555.

34. Jim Finkle, Trove of Adobe User Data Found on Web after Breach: Security Firm, REUTERS (Nov.

7, 2013), http://www.reuters.com/article/2013/11/07/us-adobe-cyberattack-idUSBRE9A61D220131107.

35. Anna Wilde Matthews & Danny Yadron, Health Insurer Anthem Hit by Hackers, WALL ST. J. (Feb.

4, 2015), http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720.

36. Id.

37. Id.

38. Id.


40. See Sidel, supra note 25 (showing a breach that utilized credit card terminals); See Matthews &

Yadron, supra note 35 (showing a breach that utilized online health information).

41. Security Breach Notification Laws, NAT’L CONFERENCE OF STATE LEGISLATURES. (Jan. 12, 2015),

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-

laws.aspx.

42. See 2015 Security Breach Legislation, NAT’L CONFERENCE OF STATE LEGISLATURES (June 11,

2015), http://www.ncsl.org/research/telecommunications-and-information-technology/2015-security-breach-

legislation.aspx (listing the various states and bills in those states concerning data breaches and security).

43. See 2014 Security Breach Legislation, NAT’L CONFERENCE OF STATE LEGISLATURES (Dec. 23,

2014), http://www.ncsl.org/research/telecommunications-and-information-technology/2014-security-breach-

legislation.aspx (listing the states that had proposed or finalized legislation on data breaches in 2014).


agencies to notify customers if a data breach included personal information.44

Forty-seven out of fifty states have enacted a law that requires consumers to be

notified when personal information is part of a breach.45

Alabama and New

Mexico, two of the three states that do not have this notification requirement,

both have introduced breach notification bills.46

Many states have also proposed additional legislation to help prevent data

breaches in the future.47

Individual state action has led to a wide array of laws

from state to state, particularly in the area of breach notification

requirements.48

This lack of uniformity can cause companies to expend

resources on complying with up to fifty different breach notification laws

instead of using those resources to remedy the breach.49

Many of these state

laws regulate the same areas,50

but the inconsistencies may cause a problem.

Most states allow for substitute notice of a breach if the breach affects a

certain number of people.51

In other words, if a data breach is large enough,

the company is not required by law to contact individuals directly, and they

can simply post a notice on their own website.52

If a company posts the notice

to its website, many people are unlikely to see it. The threshold for substitute

notice varies from state to state.53

The lack of uniformity between state breach notification laws has led

many, including former Attorney General Eric Holder, to call for a federal

standard concerning breaches.54

This view got bipartisan support, but there

remains disagreement as to whether a federal breach notification law should

preempt state breach notification law.55

44. Kamala D. Haris, California Data Breach Report, STATE OF CAL. DEP’T OF JUSTICE OFFICE OF GEN.

COUNSEL (Oct. 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf.

45. 2014 Security Breach Legislation, supra note 43 (Alabama, New Mexico, and South Dakota are

currently the only states that do not have this type of breach notification law).

46. See 2015 Security Breach Legislation, supra note 42.

47. 2014 Security Breach Legislation, supra note 43.

48. See generally Michael Keller, Holiday Shopping? How Much do Data Breach Notification Laws

Protect?, AL JAZEERA AM. (Dec. 1, 2014), http://america.aljazeera.com/multimedia/2014/12/to-catch-a-

breachhowmuchdodatabreachnotificationlawsprotect.html (discussing the differences in amount of protection

given to different types of data in different states).

49. Stephen E. Schatz, Retailers Support Passage of Federal Data Breach Notification Legislation,

NAT’L RETAIL FED’N (Feb. 5, 2015), https://nrf.com/media/press-releases/retailers-support-passage-of-federal-

data-breach-notification-legislation.

50. Security Breach Notification Laws, supra note 41 (stating that security breach laws typically (1)

define covered businesses, (2) define “personal information,” (3) describe what constitutes a breach, (4) give

requirements for notice following a breach, and (5) give exemptions).

51. Keller, supra note 48.

52. Id; see, e.g., Customer Update on Data Breach, THE HOME DEPOT, https://corporate.

homedepot.com/mediacenter/pages/statement1.aspx (last visited Sept. 8, 2015) (updating customers of a

previous data breach through a posting on their website).

53. Keller, supra note 48.

54. Id.

55. See Jonathan Randles, Retail Groups Want Data Breach Law with Broad Preemption, LAW 360

(Jan. 27, 2015, 3:49 PM), http://www.law360.com/articles/615404/retail-groups-want-data-breach-law-with-

broad-preemption (discussing the ability for a federal data breach law to preempt state law and the support for

and against it on both sides).


C. Executive Order

On February 12, 2013, President Barack Obama signed an executive

order to improve critical infrastructure cybersecurity.56

This executive order

called for information sharing, a hallmark of recent data security bills, and a

“voluntary critical infrastructure cybersecurity program.”57

The executive

order led the National Institute of Standards and Technology to develop a

cybersecurity framework.58

Two years later, President Obama followed with

another executive order that promoted the creation of Information Sharing and

Analysis Organizations to collaborate and respond to cyber threats.59

The U.S. Chamber of Commerce, among others, strongly opposed the

imposition of private sector cybersecurity standards.60

Stewart Baker, a

partner at Steptoe & Johnson LLP, stated that despite the voluntary nature of

Executive Order 13636, failure to comply could potentially be used to show

negligence if a company was sued.61

Concerns such as this one demonstrate

why it is difficult for Congress to get the bi-partisan support needed to pass

data security and breach notification laws.

D. Federal Legislative Action Concerning Data Breaches

Congress has passed data privacy and notification laws for specific

industries, despite there being a lack of comprehensive legislation regarding

data protection.62

For example, the Gramm-Leach-Bliley Act regulates

financial institutions, and it allows government agencies to establish standards

in order to protect against security threats.63

The Gramm-Leach-Bliley Act has

even provided the framework for other bills that seek to address the same

issue, but focus on all industries.64

The Heath Insurance Portability and Accountability Act establishes

similar standards,65

but in the realm of the healthcare industry. 66

It covers the

56. See Exec. Order 13636, 78 Fed. Reg. 11739 (2013) (ordering that the United States improve critical

infrastructure in relations to data breaches and cybersecurity).

57. Id.

58. NAT’L INST. OF STANDARDS AND TECH., FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE

CYBERSECURITY (2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-

final.pdf (describing the framework of the NIST’s plan to improve cybersecurity infrastructure at the federal

level).

59. See Exec. Order 13691, 80 Fed. Reg. 9349 (2015) (promoting the open sharing of cybersecurity

related information between private entities).

60. Alexei Alexis, President Obama Signs Executive Order on Cybersecurity, Seeks Voluntary

Standards, BLOOMBERG BNA (Feb. 18, 2013), http://www.bna.com/president-obama-signs-n17179872423/.

61. Id.

62. Steven G. Gersten, Richard J. Johnson & Muricio F. Paez, U.S. Congress Ready to Enact Data

Security and Breach Notification Rules After Recent Consumer Data Breaches, JONES DAY (Feb. 2014),

http://www.jonesday.com/us-congress-ready-to-enact-data-security-and-breach-notification-rules-after-recent-

consumer-data-breaches-02-14-2014.

63. Gramm-Leach-Bliley Act, 15 U.S.C. § 6801(b) (2012).

64. See FINANCIAL PRIVACY LAW GUIDE LETTER NO. 152 ISSUE NO. 288, 2014 WL 1872689 (“[Roy]

Blunt stated that The Data Security Act of 2014 is modeled after the data security and breach-response regime

established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations.”).

65. 45 C.F.R. §§ 164.400–414 (2015).

66. 45 C.F.R. § 164.400 (2015).


area of health information, and it sets standards to notify the individual, the

media, and the Secretary of Health and Human Services.67

Amid the calls for a national standard to legislate this area of need,68

several Senators introduced bills in the last Congress related to the issues of

cybersecurity and data privacy: The Cybersecurity Enhancement Act of

2014,69

the Cybersecurity Information Sharing Act of 2014,70

the Personal

Data Privacy and Security Act of 2014,71

the Data Security Act of 2014,72

the

Data Security and Breach Notification Act of 2014,73

and the Personal Data

Protection and Breach Accountability Act of 2014.74

Each bill addresses key

areas that are desperately in need of a clear statement from Congress, such as

uniform standard setting data breach notification requirements. Many of the

bills address similar issues, and there are only a few issues that divide

Republicans and Democrats.

Recently, Congress has shown urgency to pass a breach notification law,

and President Barack Obama has proposed the Personal Data Notification and

Protection Act.75

By combining portions of the bills proposed in the last

Congress, it is possible to construct a viable data breach notification and data

security law that can create a uniform standard across the country and

adequately protect consumers.

E. Recent Action

At the start of the year, President Obama proposed his own solution to the

data breach question by introducing the Personal Data Notification and

Protection Act.76

One of the focuses of this law is to set a thirty-day standard

for notification after a breach.77

In response to this bill, there remains a

disagreement as to whether a federal standard should preempt state law.78

Former chairman of the Federal Trade Commission, Jon Leibowitz, noted the

challenges presented by forty-eight separate state laws, but a representative of

the Electronic Privacy Information Center, Marc Rotenberg, stated that a

67. 45 C.F.R. §§ 164.400–414 (2015).

68. Grant Gross, Obama Calls for Data Breach Notification Law, Privacy Bill of Rights, PC WORLD

(Jan. 12, 2015, 12:16 PM), http://www.pcworld.com/article/2867872/obama-calls-for-data-breach-notification-

law-privacy-bill-of-rights.html; Schatz, supra note 49.

69. Cybersecurity Enhancement Act of 2014, Pub. L. No. 113-274, 128 Stat. 2971 (2014).

70. Cybersecurity Information Sharing Act of 2014, S. 2588, 113th Cong. (2014), https://www.

congress.gov/bill/113th-congress/senate-bill/2588/text.

71. Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014), https://www.


72. Data Security Act of 2014, S. 1927, 113th Cong. (2014), https://www.congress.gov/bill/113th-

congress/senate-bill/1927/text.

73. Data Security and Breach Notification Act of 2014, S. 1976, 113th Cong. (2014), https://www.


74. Personal Data Protection and Breach Accountability Act of 2014, S. 1995, 113th Cong. (2014),

https://www.congress.gov/bill/113th-congress/senate-bill/1995/text.

75. Michael D. Shear & Natasha Singer, Obama to Call for Laws Covering Data Hacking and Student

Privacy, N.Y. TIMES (Jan. 11, 2015), http://www.nytimes.com/2015/01/12/us/politics/obama-to-call-for-laws-

covering-data-hacking-and-student-privacy.html.

76. Id.

77. Id.

78. Id.


preemptive federal standard would prevent states from making their own laws

requiring a quicker notification after a breach.79

Following the Anthem breach, the U.S. Senate’s Subcommittee on

Consumer Protection, Product Safety, Insurance, and Data Security80

held a

hearing to discuss data breach legislation.81

In this hearing, the panelists

discussed state law preemption, breach notification procedures and standards,

and data security measures.82

During the hearing, it was clear that, despite the

support for a breach notification and data security bill, there was a strong

disagreement regarding the specific factors.83

On the topic of preemption

alone, some called for an expansive preemption, while some called for a

narrow preemption.84

Others said that the best option was to have no

preemption at all.85

Further, the parties could not agree under what

circumstances notice of a breach should be given.86

The disagreement at this

hearing was a reminder of the barriers faced in passing comprehensive data

breach notification and data security—even though everyone may agree that

there is a need for immediate legislation.87

The patchwork state legislation and numerous bills introduced in

Congress show how difficult it is to agree on breach notification and data

security measures. There is likely an agreement that the United States needs a

data breach law, but that does not mean that one will be passed.88

The problem

may also come from a surplus of Congressional committees claiming

jurisdiction and trying to tackle the issue89

—resulting in too many different

bills.90

Examining the failed bills of the 113th Congress—and one of the

“successes”—is the start of determining a solution to this problem.

III. ANALYSIS

In order to come up with the best solution, it is important to examine and

assess the bills that have been introduced on the topics of data security and

breach notification. Then it is possible to use sections from these proposed

bills in order to protect the consumer and create a reasonable standard to set for

businesses. This section contains an analysis of selected bills proposed in the

79. Id.

80. U.S. Senate Committee on Commerce, Science & Transportation, SENATE.GOV,

http://www.commerce.senate.gov/public/index.cfm?p=ConsumerProtectionProductSafetyandInsurance (this

subcommittee is part of the U.S. Senate Committee on Commerce, Science & Transportation).

81. Memorandum from the Republican Comm. Staff, to Members of the S. Comm. on Commerce, Sci.,

and Transp. (Feb. 3, 2015) (Subcommittee hearing on “Getting it Right on Data Security and Breach

Notification Legislation”).

82. Id.

83. Id.

84. Id.

85. Id.

86. Id.

87. Id.

88. Eric Chabrow, Why U.S. Breach Notice Bill Won’t Pass, BANK INFO. SEC. (Jan. 14, 2014),

http://www.bankinfosecurity.com/blogs/us-breach-notice-bill-wont-pass-p-1602/op-1.

89. Id.

90. Id.


113th Congress. It points out the areas of agreement, and the areas that kept all

but one of the bills from passing.

A. Bills of the 113th

Congress

Examining the proposed bills gives a baseline for potential legislation.

The bills below highlight the differing opinions on data breach strategy, each

important in creating a workable solution.

1. Cybersecurity Act of 2013 (enacted as the Cybersecurity Enhancement

Act of 2014)

Jay Rockefeller91

sponsored the Cybersecurity Act of 2013, a bill that

addressed cybersecurity issues by facilitating the development of voluntary

standards to combat cybersecurity threats.92

This bill, renamed the

Cybersecurity Enhancement Act of 2014, passed the House and Senate on

December 11, 2014, and it was signed into law one week later.93

The Cybersecurity Enhancement Act of 2014 gives the National Institute

of Standards and Technology power to guide the development of a “voluntary,

industry-led set of standards . . . to cost-effectively reduce cyber risks to

critical infrastructure.”94

It received bipartisan support, partially because it

avoids regulatory issues that doom other similar bills.95

The Cybersecurity

Enhancement Act of 2014 does not give any regulatory authority to federal or

state agencies—and this has been enough to gain support from many different

places, including the U.S. Chamber of Commerce, AT&T, Verizon, IBM, and

Symantec.96

Given the lack of regulatory authority in the bill, the standards

and best practices developed would be entirely voluntary.97

Opponents might

note this lack of regulatory authority would prevent any real oversight or

meaningful change in the behavior of businesses—how can the government

ensure that companies are taking appropriate measures to protect consumer

data if there is no ability to regulate in the area?

Rather than focusing on establishing reactive measures, this act takes a

proactive approach that looks much further ahead of other bills addressing this

area of law.98

It establishes cybersecurity competitions and scholarships to

91. Senator John D. Rockefeller IV, CONGRESS.GOV, https://www.congress.gov/member/jay-

rockefeller/R000361 (Jay Rockefeller was a Democratic Senator from West Virginia from 1985–2015).

92. Cybersecurity Enhancement Act of 2014, S. 1353, 113th Cong. (2014), https://www.congress.gov/

bill/113th-congress/senate-bill/1353.

93. Major Actions: S. 1353 – 113th Congress (2013–2014), CONGRESS.GOV, https://www.congress.gov/

bill/113th-congress/senate-bill/1353/actions [hereinafter Major Actions].

94. Cybersecurity Enhancement Act of 2014, S. 1353, 113th Cong. § 101(a)(2) (2014).

95. Shaun Waterman, Senators Pushing Business-Backed Cybersecurity Bill, WASH. TIMES (July 30,

2013), http://www.washingtontimes.com/news/2013/jul/30/senators-pushing-business-backed-cybersecurity-

bil/.

96. Featured Legislation: The Cybersecurity Act of 2013, U.S. SENATE COMM. ON COMMERCE, SCI., &

TRANSP. (July 24, 2013), http://www.commerce.senate.gov/public/index.cfm?p=Legislation&ContentRecord_

id=6f4da480-5cd6-4c1e-a2cd-122c621d6a88.

97. Chabrow, supra note 88.

98. See Cybersecurity Enhancement Act of 2014, Pub. L. No. 113-274, 128 Stat. 2971 (2014)

(establishing competitions and scholarships to prepare the next generation for dealing with cybersecurity


help prepare the next generation to address cybersecurity related issues.99

It

also sets a plan for the research and development of a “strategic plan” related

to the cybersecurity risk.100

It is difficult to believe that Congress would not be

supportive of including this section in a cybersecurity bill, because it is

separate from the partisan issues that impede cybersecurity legislation.

Given the bipartisan support of the Cybersecurity Enhancement Act of

2014, it was able to become law.101

Unfortunately, in order to gain bipartisan

support, the bill left out key sections that could potentially have an even

greater effect on data security—for example, a comprehensive data-sharing

plan that would facilitate the cooperation between companies and the

government to combat breaches (like that included in the Cybersecurity

Information Sharing Act of 2014102

). The lack of contentious issues included

in the Cybersecurity Act of 2013 is an example of the compromise needed to

gain bipartisan support for a cybersecurity bill.

The Cybersecurity Enhancement Act of 2014 was the only bill examined

in this Note to be passed. Even with bipartisan support for the bill, it took until

the last month of Congress’ session to approve this step towards better

cybersecurity.103

2. Cybersecurity Information Sharing Act of 2014

Senate Intelligence Committee Chairwoman Dianne Feinstein104

sponsored the Cybersecurity Information Sharing Act of 2014. This bill hoped

to encourage data sharing among companies and between the government and

companies.105

This bill would have allowed private entities to monitor, for

cybersecurity purposes, the following information systems: (1) the entity’s

own systems, (2) another entity’s system with written consent, or (3) a Federal

entity with its consent.106

To encourage participation in the data-sharing plan,

the Act provided liability protection to the participating entities—there would

be no cause of action for monitoring information systems or sharing threat

indicators, if conducted in accordance with the Act.107

An entity would also be

protected as long as it relied in good faith that its action was permitted by the

Act.108

This blanket protection from liability may have caused more harm than

issues).

99. Id.

100. Id.

101. Id.

102. See infra section III (B)(2) (describing the data-sharing plan between government entities included

in the Cybersecurity Information Sharing Act of 2014).

103. See Major Actions, supra note 93 (showing history of the act, including date of passage on Dec. 11,

2014).

104. Cybersecurity Information Sharing Act of 2014, S. 2588, 113th Cong. (2014), https://www.

congress.gov/bill/113th-congress/senate-bill/2588/actions.

105. See id., at § 3 (describing the Act’s goal of encouraging information sharing between companies

and the Federal Government).

106. Id. at § 4.

107. See id. § 6 (prohibiting causes of action against entities for sharing cyber threat indicators or

monitoring information systems).

108. Id.


good,109

and it also may have kept that section of the bill from becoming law.

The bill gave immunity to companies that share data, which could have

potentially made it very difficult for people to seek legal remedies from

companies.110

The bill’s sponsors believed that legal protections were needed

to facilitate the sharing of information,111

but civil liberties advocates were

concerned about the potential empowerment of the NSA.112

The Cybersecurity Information Sharing Act of 2014 was met with strong

opposition from privacy experts.113

Some noted that by allowing voluntary

sharing of information for cybersecurity purposes, the government might have

a way around the protections of the Electronic Communications Privacy Act.114

The use of the language “[n]otwithstanding any other provision of law” under

the authorization for monitoring and the authorization for sharing cybersecurity

threat indicators was particularly troublesome.115

The privacy advocates’ fear

was that the broad definition of “cybersecurity information” could allow the

government to get a wide variety of information from private entities and even

allow the government to use that gathered personal information in criminal

proceedings.116

Privacy advocates gave some of the biggest critiques of this bill—they

were weary of the problems that could arise after sharing information with the

government, given the power of the NSA and other government agencies.117

The leak by Edward Snowden118

has made the United States very skeptical of

government information gathering practices, meaning people are much less

willing to trust their personal information in the hands of the government,

particularly the NSA.119

The wording of this bill allowed for data to be used

for purposes unrelated to the original cyber-threat, which worried privacy

109. Sandra Fulton, Beware the Dangers of Congress’ Latest Cybersecurity Bill, AM. CIVIL LIBERTIES

UNION (June 27, 2014), https://www.aclu.org/blog/beware-dangers-congress-latest-cybersecurity-bill (“While

we hope many companies would jealously guard their customers’ information, there is a provision in the bill

that would excuse sharers from any liability if they act in “good faith” that the sharing was lawful.”).

110. Eric Niang, Senate Panel Approves Cybersecurity Data Sharing Bill, CQ ROLL CALL (July 9, 2014),

2014 WL 3337435.

111. Gregory C. McNeal, Movement on Cybersecurity Legislation Likely After Election, FORBES (Dec.

31, 2014), http://www.forbes.com/sites/gregorymcneal/2014/10/31/movement-on-cybersecurity-legislation-

likely-after-election/.

112. Id.

113. See M.G., Once More Unto the Breaches, THE ECONOMIST (July 10, 2014) (describing privacy

groups’ opposition to cyber-security legislation), http://www.economist.com/blogs/democracyinamerica/2014/

07/cyber-security-and-nsa; see also Niang, supra note 110 (describing privacy advocates’ opposition to cyber-

security legislation).

114. Fulton, supra note 109.

115. S. 2588, at § 4.

116. Id.

117. See M.G., supra note 113 (describing public weariness of sharing information with the

government).

118. Edward Snowden is a former United States defense contractor with Booz Allen Hamilton who

released numerous top-secret documents related to the National Security Agency’s surveillance programs.

Glenn Greenwald, Ewen MacAskill & Laura Poitras, Edward Snowden: the Whistleblower Behind the NSA

Surveillance Revelations, THE GUARDIAN (June 11, 2013), http://www.theguardian.com/world/2013/jun/09/

edward-snowden-nsa-whistleblower-surveillance.

119. See generally Edward Snowden: Leaks that Exposed US Spy Programme, BBC (Jan. 17, 2014),

http://www.bbc.com/news/world-us-canada-23123964 (describing the breadth of Federal Government

surveillance operations).


advocates.120

Further, the Act also exempted the cybersecurity sharing

programs from transparency programs like the Freedom of Information Act

and state “sunshine laws.”121

This transparency exemption prevented citizens

from keeping a check on this government data-sharing program and ensuring

that it would not abuse its power.122

This provision, along with the lack of

trust in the United States’ government, was likely to make many Americans

uneasy about this bill.

3. Personal Data Privacy and Security Act of 2014123

Senator Patrick Leahy124

has introduced the Personal Data Privacy and

Security Act in every Congress since 2005.125

Following the recent

breaches,126

he introduced the bill again in 2014.127

The bill aimed to increase

punishments for violations of data privacy and subjected many business

entities to a security program.128

The bill also gave businesses and federal

agencies a sixty-day timeline to disclose breaches to individuals whose

personally identifiable information had been compromised.129

This bill’s

timeline was the same as the timeline used by the Health Insurance Portability

and Accountability Act.130

Several states that have legislated on the

notification timeline, including Florida, Ohio, Vermont, and Wisconsin have

set stricter standards for notice.131

This Act called for increased punishments for identity theft and for willful

concealment of breaches.132

It also set a standard for data privacy and security

programs.133

There was no private cause of action against a business for a

violation of this Act.134

Despite the well-understood need of data breach laws,

the strong disagreement in Congress made this bill unlikely to become law

during the 113th Congress.135

120. See M.G., supra note 113 (noting public concern that information about cyber-threats would be

used for other purposes).

121. Fulton, supra note 109, at 3.

122. Id.

123. Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014).

124. U.S. Senator Patrick Leahy of Vermont, SENATE.GOV, http://www.leahy.senate.gov/biography (last

visited Sept. 6, 2015).

125. Chabrow, supra note 88.

126. Tom Risen, Sen. Patrick Leahy Introduces Data Privacy Bill in Wake of Target Breach, U.S. NEWS

(Jan. 8, 2014), http://www.usnews.com/news/articles/2014/01/08/sen-patrick-leahy-introduces-data-privacy-

bill-in-wake-of-target-breach.


128. Id.

129. Id. at § 211(c); Chabrow, supra note 88.

130. Health Insurance Portability and Accountability Act, 45 C.F.R. §§ 164.400–414.

131. Data Breach Charts, BAKERHOSTETLER (2015), http://www.bakerlaw.com/files/Uploads/

Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf (last visited Sept. 8, 2015).


133. Id.

134. Id.

135. See Chabrow, supra note 88.


4. Data Security Act of 2014

Republican Senator Tom Carper136

proposed the Data Security Act of

2014.137

This bill was modeled after the breach standards outlined in the

Gramm-Leach-Bliley Act,138

and its purpose was to require notice after

security breaches and to facilitate the protection of private information.139

The

bill left much of the security procedures up to the companies; in the description

of the security procedures required, this bill required “reasonable policies and

procedures” to protect data security.140

This bill did not give a private right of action for regulations under the

act, and it went even further to say that individuals did not have a private right

of action in state court for something that is regulated under this act.141

The

Data Security Act of 2014 relied on administrative enforcement of the

provisions, and it did so at the expense of private rights of action against

companies in violation of the Act.142

This point, in particular, caused

significant pushback regarding this bill because it would leave many

individuals without remedies in state court even if hackers and companies

violated state law—and it would have prevented individuals from pursuing

class-action lawsuits.143

This bill would have taken away existing state law

rights from the consumer—it prevented pursuing certain state law causes of

action.144

It seems contradictory to take away state law rights in a bill that is

intending to protect information relating to customers.

5. Data Security and Breach Notification Act of 2014

The Data Security and Breach Notification Act of 2014, another bill

introduced by Senator Jay Rockefeller, required companies to adopt reasonable

procedures to protect personal information.145

This Act would have given the

Federal Trade Commission the power to set security standards for entities

possessing personal information.146

The Act would have also set a strict

notification standard—it would have required notification to affected

individuals within thirty days of discovery of the breach unless that was not

feasible.147

The Act would have also given the Federal Trade Commission the

power to determine the circumstances in which substitute notification would be

136. Tom Carper: U.S. Senator for Delaware, SENATE.GOV, http://www.carper.senate.gov/public/

index.cfm/about?p=biography-and-pictures (last visited Sept. 8, 2015).

137. Data Security Act of 2014, S. 1927, 113th Cong. (2014).

138. Financial Privacy Law Guide Letter No. 152 Issue No. 288, FIN. PRIVACY LAW GUIDE, 2014

WL 1872689 (2014).


140. Id. at § 3(a)(1).

141. Id. at § 5(c).

142. Id.

143. Chris Dimarco, Data Security Act of 2014 Could Stitch Together Patchwork of Current

Regulations, INSIDE COUNSEL (Jan. 22, 2014), http://www.insidecounsel.com/2014/01/22/data-security-act-of-

2014-could-stitch-together-pa.

144. Id.

145. Data Security and Breach Notification Act of 2014, S. 1976, 113th Cong. (2014).

146. Id. at § 2(a).

147. Id. at § 3(c).


allowed instead of direct notification.148

This bill was in conflict with Republican proposed legislation, primarily

because it gave the Federal Trade Commission the power to set standards

regarding data security.149

Republicans wanted to merely redefine the Federal

Trade Commission’s enforcement powers—against companies who failed to

take reasonable steps to protect personal data—without giving it any additional

power to set standards for data security.150

This contentious issue made the

Data Security and Breach Notification Act of 2014 difficult to pass if the final

version included giving regulatory power to the Federal Trade Commission.151

Given the conflicting nature of the Democratic and Republican proposed bills,

it would have been difficult for either to get bipartisan support.

A useful but most likely controversial section of this law criminalized the

concealment of breaches, and it gave the Unites States Secret Service and the

Federal Bureau of Investigation the power to enforce it.152

A section for the

criminalization of concealment was a very hard stance, but it would have sent a

strong message to anyone thinking of trying to keep a breach a secret. In order

for the concealment of a breach to be punished by the Secret Service or the

Federal Bureau of Investigation, it must have be intentional and willful, and it

must have led to economic harm of at least $1000 to an individual.153

The

standard of intentional and willful was a relatively high bar for a criminal

charge, especially when talking about the theft of basic personal information,

the value of which could be below $1000.

Similar to other bills, this Act would have preempted state laws

concerning security procedures and breach notification.154

Even so, with fifty

different methods of regulating breach notification, a uniform standard would

have allowed for a clear and comprehensive measure for standards to be set.

Senator Thune, the backer of the conflicting Republican bill, even agreed with

the need for a uniform standard.155

This shows there is bipartisan agreement

that this type of law needs to be passed156

—this small agreement, along with

some compromise between the two parties, could be what prompts Congress to

eventually adopt a data security and breach notification law.

6. Personal Data Protection and Breach Accountability Act of 2014

In February 2014, Senator Richard Blumenthal157

introduced the Personal

148. Id. at § 3(d)(2)(A).

149. Alexei Alexis, Data Security Outlook Remains Uncertain Despite Flurry of Bills, BLOOMBERG

BNA (Apr. 22, 2014), http://www.bna.com/data-security-outlook-n17179889758; see Data Security and

Breach Notification Act of 2013, S. 1193, 113th Cong. (2013) (requiring data collecting entities to notify

individuals in case of breach without allowing the Federal Trade Commission to set standards).

150. Alexis, supra note 149.

151. See id. (citing lack of support from Republicans and the Chamber of Commerce to giving the

Federal Trade Commission rulemaking authority).

152. S. 1976, § 5(f).

153. Id.

154. Id. at § 7.


156. Id.

157. About Senator Blumenthal, SENATE.GOV, (Sept. 8, 2015), http://www.blumenthal.senate.gov/


Data Protection and Breach Accountability Act of 2014 to the Senate.158

This

bill set a series of safeguards for all business entities to follow in their data

privacy programs,159

and it created “stringent” penalties for companies that did

not properly protect personal information or timely notify customers of a

breach of their information.160

Similar to the Data Security and Breach Notification Act of 2014, the

Personal Data Protection and Breach Accountability Act of 2014 specifically

authorized punishment for intentional or willful concealment of a data breach

of personal information.161

The Personal Data Protection and Breach

Accountability Act of 2014 did not have a dollar amount requirement for the

willful concealment of a data breach, and it only required economic harm or

“substantial emotional distress” to at least one person.162

The lack of a dollar

amount made a large difference in the enforceability of this Act because it did

not require an individual to prove how much their stolen personal information

was worth to them.

The Act allowed many different stakeholders to enforce a violation of the

Act, including the Attorney General of the United States, state Attorneys

General, or individuals in a civil action.163

Unlike other bills that prevented

private causes of action,164

this Act would have allowed individuals to bring

suit against business entities and seek damages up to $20,000,000 as well as

punitive damages for willful or intentional violation.165

These punishments

were sure to get the attention of all people involved, and it would have most

likely strongly discouraged behavior in violation of this Act.

Going further to protect individuals, the bill outlined remedies following

a breach; these remedies include free credit monitoring services, a security

freeze on the individual’s credit report, and a reimbursement of costs resulting

from the breach, including costs resulting from identity theft.166

It even

required the business to notify credit-reporting agencies if the breach resulted

in the required notification of more than 5,000 people.167

In relation to the security breach notification procedures, this Act would

not have exempted companies from liability under state laws—it would only

have added further protection under federal law.168

This bill was consumer

friendly, and it provided the most for individuals who would be negatively

affected by a data breach. Given the consumer focus of the Personal Data

biography.

158. Personal Data Protection and Breach Accountability Act of 2014, S. 1995, 113th Cong. (2014).

159. Id. at § 202.

160. Erica Teichert, Senate Bill Would Punish Cos. For Lax Data Security, LAW 360 (Feb. 4, 2014, 9:12

PM), http://www.law360.com/articles/507053/senate-bill-would-punish-cos-for-lax-data-security.

161. S. 1995, § 101.

162. Id.

163. Id. at §§ 203–05, 218–20.

164. See Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014) (preventing

private causes of action).

165. S. 1995, §§ 205, 220.

166. Id. at § 215.

167. Id. at § 216.

168. Id. at § 221(b)(1).


Protection and Breach Accountability Act of 2014, there would likely be

opposition from business-focused organizations, which would have to bear

most of the burden of the proposed legislation. This bill did not pass, and it

died with the adjournment of the 113th Congress169

—however, it may be used

as an example for future bills directed towards a high level of consumer

protection.

B. Recent Action

Since the adjournment of the 113th Congress, there has been quick action

to address data security and breach notification concerns in the new year—this

has come by way of a proposal by President Obama and a new bill introduced

in Congress.

1. Personal Data Notification & Protection Act

On January 12, 2015, President Obama proposed the Personal Data

Notification & Protection Act.170

President Obama proposed this in addition to

several other measures aimed at promoting data security and privacy, including

the “Consumer Privacy Bill of Rights,” a “Voluntary Code of Conduct for

Smart Grid Customer Data Privacy,” and the “Student Digital Privacy Act.”171

President Obama received support from both Democratic and Republican

Congressmen following his proposals.172

The breach notification law has been

considered for over ten years, and the Consumer Privacy Bill of Rights has

been considered for three years.173

The Personal Data Notification & Protection Act contains similar parts of

other bills, but it applies to a wider group of personal information than those

bills.174

The protected “sensitive personally identifiable information” includes:

(1) first and last name in combination with several different elements, (2) a

government-issued identification number, including a social security number

or driver’s license number, (3) biometric data including fingerprints or voice

prints, (4) unique account identifiers, and (5) a username in combination with a

password or security question.175

It also allows a combination of different

information to meet the standard, and it allows the Federal Trade Commission

to amend the definition of “sensitive personally identifiable information.”176

169. S. 1995 (113th): Pers. Data Prot. & Breach Accountability Act of 2014, GOVTRACK.US,

https://www.govtrack.us/congress/bills/113/s1995 (last visited Sept. 9, 2015).

170. Jeff Kosseff, Analysis of White House Data Breach Notification Bill, NAT’L L. REV. (Jan. 15, 2015)

[hereinafter Kosseff], http://www.natlawreview.com/article/analysis-white-house-data-breach-notification-bill.

171. Press Release, Office of the Press Secretary, The White House, FACT SHEET: Safeguarding

American Consumers & Families, (Jan. 12, 2015), http://www.whitehouse.gov/the-press-office/2015/01/12/

fact-sheet-safeguarding-american-consumers-families.

172. Cheryl Bolen, Obama Revives Data Breach Notice, Consumer Privacy, Security Proposals,

BLOOMBERG BNA (Jan. 16, 2015) [hereinafter Bolen], http://www.bna.com/obama-revives-data-

n17179922217/.

173. Id.

174. Kosseff, supra note 170.

175. Personal Data Notification & Protection Act, H.R. 1704, 114th Cong. § 112(12) (2015).

176. Id.


The Personal Data Notification & Protection Act also sets a strict

standard of notification to the Federal Trade Commission—thirty days after the

entity discovers the breach.177

The notice requirement applies to businesses

that use personally identifiable information of more than 10,000 individuals in

a year long period.178

The Personal Data Notification & Protection Act has an

exception that does not require companies to disclose breaches if there is not a

reasonable risk that the individuals whose data was affected will be harmed.179

The Federal Trade Commission and state Attorneys General would handle the

enforcement of the provisions of this Act.180

The sticking point of the Personal Data Notification & Protection Act

may be the fact that it would supersede state laws covering the breach of

computerized data from business entities.181

A partner at Dorsey & Whitney

LLP in Minneapolis noted that the issue of state law preclusion “may be a

deal-killer either way.”182

This type of disagreement is what prevents bills like

this from getting through a substantially divided Congress.

The Personal Data Notification & Protection Act contains a range of

provisions that are needed to enact much-needed data security legislation;

however, one small provision may be enough to derail the whole thing.183

Even if not adopted in full, the Personal Data Notification & Protection Act

sets a high standard for the definition of sensitive personally identifiable

information and notification deadlines—both of which could be used to

supplement legislation that is more likely to be passed.

2. Data Security & Breach Notification Act of 2015

The Data Security and Breach Notification Act of 2015 was introduced in

the Senate on January 13, 2015.184

This bill showed fast action by the new

114th Congress.185

The Data Security & Breach Notification Act of 2015

would give the Federal Trade Commission the power to promulgate

regulations for information security.186

The Act also requires notification in at

least 30 days, unless it would not be feasible due to certain circumstances.187

The Act preempts state laws relating to data security and breach notification,

but it does not preempt state law tort, contract, trespass, or fraud claims.188

Taking into account the concerns surrounding the failed bills of the 113th

Congress, the Data Security & Breach Notification Act of 2015 could provide

177. Id. at § 101(c).

178. Id. at § 101(a).

179. Id. at § 102(b)(1)(A).

180. See generally id. § 107–08 (explaining the rules and methods of enforcement by the Federal Trade

Commission and State attorneys general).

181. Bolen, supra note 172.

182. Id.

183. Id.

184. Data Security and Breach Notification Act of 2015, S. 177, 115th Cong. (2014).

185. Id.

186. Id. at § 2(a)(1).

187. Id. at § 3(c).

188. Id. at § 7.


some compromise to enact the comprehensive data security and breach

notification law that the United States needs.

C. Points of Agreement and Inconsistency

The proposed bills overlapped in several areas, but they directly

contradicted one another in other areas. The three areas of most concern are

(1) the legislation’s affect on state law, (2) the method of breach notification

and time requirements for notification, and (3) data security requirements for

entities possessing customer’s personal information.

1. State Preemption

Several of the bills expressly preempted state legislation in relation to

data security and breach notification, including the Data Security and Breach

Notification Act of 2014, and the Personal Data Privacy and Security Act of

2014.189

The Data Security Act of 2014 would have precluded civil action

under state law related to a violation of the Act.190

The Cybersecurity

Information Sharing Act of 2014 would have superseded state law to the extent

that state law prohibited behavior that was allowed by the Act, but it did not

supersede state law concerning law enforcement practices.191

The Personal

Data Protection and Breach Accountability Act of 2014 would have preempted

state law regarding breach notification, but it would not have preempted

entities from common law liability.192

The recently proposed Data Security and Breach Notification Act of 2015

would preempt state laws that require certain data security practices or require

notification to individuals following a breach.193

However, this Act would

protect the availability of state laws regarding trespass, contract, torts, or

fraud194

—so consumers would still be able to pursue state law claims under

these laws. This law provides the compromise of a general preemption, but

without the negative effect of preempting all state law claims.

2. Response Method and Time for Notification

Notification timing ranges from a specific period of time, like President

Obama’s Personal Data Notification and Protection Act and the Data Security

and Breach Notification Act of 2014,195

to a “without reasonable delay”

standard in the Personal Data Protection and Breach Accountability Act of

2014.196

Strict standards seem good in theory, but in a hearing on data

security, Ravi Pendse, the Chief Information Officer for Brown University,

189. S. 1976; S. 1897.

190. S. 1927.

191. S. 2588.

192. S. 1995.

193. S. 1976 at § 7.

194. Id.

195. Personal Data Notification and Protection Act of 2015, H.R. 1704, 114th Cong. (2015); S. 1976.

196. S. 1995.


expressed his concern that a strict notification deadline would be impossible

for some entities to meet.197

From a consumer standpoint, a short notification

deadline, such as the Personal Data Notification and Protection Act should be

more appealing—it would provide quicker notice when their information had

been compromised.

Breach methods and standards also vary across the proposed bills. The

Personal Data Protection and Breach Accountability Act of 2014 would have

allowed notification by letter, email, phone call, or public notice—including

media notice or electronic notice on a website—if there were more than 5,000

people affected.198

The Data Security and Breach Notification Act of 2014

would have allowed for similar methods of notification, but it allowed

substitute notification if an entity had less than 10,000 individuals’ records and

direct notification would not be feasible due to an excessive cost.199

Similar to

the Data Security and Breach Notification Act of 2014, the Data Security Act

of 2014 also allowed for substitute notification if the entity did not have the

contact information for the individual affected, or if the cost of notification was

excessive.200

The Data Security and Breach Notification Act of 2015 takes a strict

approach to notification timeline—thirty days—which is the same as President

Obama’s proposal.201

Even though this requirement is strict, it should not

prevent it from being passed, because the bill allows for notification “as

promptly as possible” if thirty days is not feasible for several reasons.202

Some

may disagree with the tough standard, but the Act allows for a safety net if the

standard cannot be met for legitimate reasons.203

3. Data Security Practices

In addition to data breach notification, several of the proposed bills also

discussed proactive measures to improve data security practices in businesses.

The Cybersecurity Information Sharing Act of 2014 hoped to improve data

security practices by facilitating data sharing between companies and the

government.204

The Personal Data Protection and Breach Accountability Act

of 2014 and the Personal Data Privacy and Security Act of 2014 would have

allowed the Federal Trade Commission to regulate data security programs, and

set broad standards for security practices, including risk assessment, design,

and vulnerability testing.205

The Data Security and Breach Notification Act of

2014 similarly called on the Federal Trade Commission to promulgate

197. Getting it Right on Data Breach and Notification Legislation in the 114th Congress Before the

Consumer Protection, Product Safety, Insurance & Data Security Subcommittee, 114th Cong. 1 (2015)

(statement of Ravi Pendse, Chief Information Officer of Brown University).

198. S. 1995.

199. S. 1976.

200. S. 1927.

201. S. 177.

202. Id. at § 3(c).

203. Id.

204. S. 2588.

205. S. 1995, S. 1897.


regulations regarding data security practices.206

The Data Security Act of 2014

only called for “reasonable policies and procedures” to protect individuals’

private information.207

The Data Security and Breach Notification Act of 2015 also gives the

Federal Trade Commission the power to set regulations for data security

policies.208

There has been Republican concern about giving this power to the

Federal Trade Commission209

—however, it may be overly optimistic to expect

all companies to comply with a voluntary standard. Therefore, a mandatory

standard is the more appropriate measure.

The numerous differences in (1) state preemption, (2) response method

and time for notification, and (3) data security makes it difficult to devise a

uniform standard. The following section proposes a compromise and

recommends a data breach notification and security standard that Congress can

adopt in forthcoming legislation.

IV. RECOMMENDATION

Data breach legislation faced difficult odds to be enacted by the end of

the 113th Congress,210

but the Cybersecurity Enhancement Act of 2014

managed to pass.211

This bill was a step in the right direction, but it had to

sacrifice substance in order to get bipartisan support. Many issues divide

Democrats and Republicans in the area of data security and breach notification,

but it is possible to pass a more impactful law on data breach notification and

data security. Bipartisan support can be achieved by adopting rules from

several of the failed data security and breach notification bills.

The first area to tackle is the area of breach notification. States have

shown notification guidelines should be specifically outlined.212

Given the

vast differences in law across the states,213

a federal law should be enacted to

answer this question to provide uniformity across the country. It can most

likely be agreed upon that consumers and law enforcement officials need to be

notified by the business entity when a breach occurs, and it makes sense to

have a uniform standard to create predictability across jurisdictions. While the

Republicans have shown their general opposition to regulations, breach

notification is a less contentious area.214

206. S. 1976.


208. Data Security and Breach Notification Act of 2015, S. 177, 114th Cong. § 2(a)(1) (2015).


210. ERIC NAING, HOME DEPOT BREACH UNLIKELY TO PROMPT LEGISLATION (Sept. 10, 2014), 2014

WL 4436982.

211. Cybersecurity Enhancement Act of 2014, S. 1353, 113th Cong. (2014).

212. Security Breach Notification Laws, NAT’L CONFERENCE OF STATE LEGISLATURES (June 11, 2015),

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-

laws.aspx.

213. Michael Keller, Holiday Shopping? How Much Do Data Breach Notification Laws Protect?, AL

JAZEERA (Dec. 1, 2014), http://america.aljazeera.com/multimedia/2014/12/to-catch-a-

breachhowmuchdodatabreachnotificationlawsprotect.html.

214. Alexei Alexis, Data Security Outlook Remains Uncertain Despite Flurry of Bills, BLOOMBERG

BNA (Apr. 22, 2014), http://www.bna.com/data-security-outlook-n17179889758.


The Data Security & Breach Notification Act of 2015’s notification

requirement provides a balance of a quick timeline, but it also provides

exceptions if following the deadline is not feasible.215

This balance makes it

the ideal standard to adopt. However, no matter what bill eventually passes, a

clear standard for breach notification should be included in the legislation.

While this is important, breach notification is only a part of what is needed to

address the cybersecurity issues the country faces. Breach notification only

matters when the breach has already occurred, and it does little to address the

underlying problems that lead to massive breaches.

Another issue that has presented a problem is the potential preemption of

state laws.216

Some believe that a uniform law would be most successful only

if it preempted all state laws, while others believe that states should be able to

continue to enforce their stricter standards.217

The first step to compromise on

this issue is to develop a strong breach notification standard like that in the

Personal Data Notification and Protection Act218

—that way the federal

standard would be closer to the strict state standards. The Data Security &

Breach Notification Act of 2015 preempts state laws to provide uniformity, but

its protection of certain state law claims—such as contracts and torts—is a

good compromise. The issue of state law preemption does not have to derail

this legislation.

The more contentious issues of information sharing and regulatory

procedures for data security are much more likely to hold up the legislation.219

Even so, data security legislation can provide a compromise by allowing

companies to develop their own data security procedures and declaring broad

security standards that are regulated by the Federal Trade Commission or

another government agency. This would require the FTC to have some control

over regulating security practices, but it would need to set certain boundaries to

please all parties.

One of the most valuable ways to combat future breaches is to have the

government communicate with businesses and businesses communicate with

other businesses. The Cybersecurity Information Sharing Act of 2014 would

have facilitated that sharing,220

but privacy advocates are rightfully concerned

about the safety of sharing so much personal information.221

Setting strict

standards to deal with the use of the information could alleviate this concern.

Since there is concern with potential inappropriate data use,222

adding in

additional measures of oversight to regulate the information sharing between

companies could potentially be enough to satisfy privacy advocates in order to

get this law passed.

215. S. 177, 114th Cong. § 3(c).

216. REPUBLICAN COMM. STAFF, SUBCOMM. HEARING ON “GETTING IT RIGHT ON DATA BREACH AND

NOTIFICATION LEGISLATION” 4 (2015).

217. Id. at 1–2.

218. Personal Data Notification and Protection Act of 2015, H.R. 1704, 114th Cong. § 101(a) (2015).

219. Id.

220. Cybersecurity Information Sharing Act of 2014, S. 2588, 113th Cong. § 3, 5 (2014).

221. M.G., Supra note 113.

222. Id.


The last barrier is the area of data security regulation. Since there

continues to be regular massive data breaches, companies need to improve

their methods of handling sensitive, personal information, but the question

remains whether federal agencies should dictate those standards or whether

they should be developed within each company. Appropriately monitoring

data security does not need to come from heavily regulating data security

practices. An agreeable solution can also come from increasing transparency

and increasing private rights of action against willful disregard for common

data security measures. The first step is to have a standard, whether industry-

led or outlined in a bill that shows data security practices that are accepted as

sufficient. Following President Obama’s Executive Order 13636, the National

Institute of Standards and Technology led the development of a cybersecurity

framework that can serve as this standard.223

Next, there must be transparency regarding the data security practices that

each business practices. Consumers should know exactly what data security

practices each company uses to protect their personal information, and they

should know how these procedures stack up to the national or industry norm.

However, transparency must have a limit—if there is too much disclosed,

hackers may gain enough to bypass the security measures. This should be

balanced to provide as much information to the consumers as possible without

sacrificing security.

Further, in the case of a breach, there needs to be a clear private right of

action. For example, a negligence cause of action could be brought if an

individual’s data is stolen from a company. The company has a duty to protect

a customer’s data when it is given to them. When the company does not take

sufficient measures to protect the data, it has breached its duty to the consumer.

A breach can result in many different kinds of harm, from fraudulent charges

on a credit card to mental pain caused by knowing a hacker has your personal

information. If this cause of action became the norm following a breach,

Congress could avoid additional regulations that Republicans have shown

distaste for. This could create a climate where there is every incentive for

companies to handle personal information as securely as possible, even without

clear regulation.

The United States needs to get ahead of these breaches and develop a plan

for the future. The Cybersecurity Enhancement Act of 2014 provided methods

to facilitate cybersecurity education to make the public more prepared for

attacks in the future.224

This section was not common in the discussed bills,

but it should be included in any cybersecurity legislation. Hackers seem to be

getting smarter and better at what they do, so the education sections of the

Cybersecurity Enhancement Act of 2014 were necessary in order for this

country to become more proactive and less reactive about data breaches.

223. Framework for Improving Critical Infrastructure Cybersecurity, NAT’L INST. OF STANDARDS AND

TECH. (Feb. 12, 2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-

final.pdf.

224. S. 1353, 113th Cong. § 401 (2014).


V. CONCLUSION

The frequency and scope of recent data breaches should concern

everyone, especially Congress. Protecting people’s data is a paramount

concern, and it needs to be addressed by passing federal laws. This needs to

happen soon, because there is a need for laws to protect consumers. The

Cybersecurity Enhancement Act of 2014 was a step in the right direction, but

there is not a uniform standard for breach notification, nor is there a

comprehensive data security law.

Despite the lack of bipartisan support for the recent data breach bills,

there are parts of each bill that can be used to cause meaningful change. If any

future bills have a hope of being passed, people’s concerns for data privacy

must be addressed in the legislation. The legislation must place a clear limit on

the use of the personal data by the government and should only minimally

regulate individual company’s internal security policies. Legislation must also

carefully address the conflicts with state law. Some states have strict data

protection standards, and it does not make sense to lower the standard in those

states by completely preempting their existing laws.

By taking into account the privacy and regulatory concerns of bill

opponents, legislation can be drafted by Congress that will be supported by

both Democrats and Republicans. In order to be most beneficial, the legislation

must also take both large and small business concerns into account. While the

recent breaches call for fast action, Congress must act carefully to protect the

privacy of people and businesses in its legislation.