hacking the current system: congress’ attempt to pass data...
TRANSCRIPT
437
HACKING THE CURRENT SYSTEM:
CONGRESS’ ATTEMPT TO PASS DATA
SECURITY AND BREACH NOTIFICATION
LEGISLATION
Brett V. Newman
TABLE OF CONTENTS
I. Introduction ......................................................................................... 438 II. Background ......................................................................................... 439
A. Data Breach History .................................................................... 439 B. State Action Concerning Data Breaches ...................................... 441 C. Executive Order ........................................................................... 443 D. Federal Action Concerning Data Breaches .................................. 443 E. Recent Action .............................................................................. 444
III. Analysis ............................................................................................... 445 A. Bills of the 113
th Congress .......................................................... 446
1. Cybersecurity Act of 2013 (enacted as the Cybersecurity
Enhancement Act of 2014) .................................................... 446 2. Cybersecurity Information Sharing Act of 2014 ................... 447 3. Personal Data Privacy and Security Act of 2014 ................... 449 4. Data Security Act of 2014 ..................................................... 450 5. Data Security and Breach Notification Act of 2014 .............. 450 6. Personal Data Protection and Breach Accountability
Act of 2014 ............................................................................ 451 B. Recent Action .............................................................................. 453
1. Personal Data Notification & Protection Act ........................ 453 2. Data Security & Breach Notification Act of 2015 ................. 454
C. Points of Agreement and Inconsistency ...................................... 455 1. State Preemption .................................................................... 455 2. Response Method and Time for Notification ........................ 455 3. Data Security Practices .......................................................... 456
IV. Recommendation ................................................................................ 457 V. Conclusion .......................................................................................... 460
B.A. Economics, University of Illinois, 2011; J.D., University of Illinois College of Law, 2016
(expected). I would like to thank Carol Hayes, Professor Jay Kesan, and the editorial staff of the Journal of
Law, Technology & Policy for their help with my Note.
438 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
I. INTRODUCTION
Over the past ten years, an average of roughly 221,000 records have been
breached per day.1 As the world becomes more technologically connected,
businesses collect an increasing amount of information from consumers.2
Businesses are susceptible to data breaches, placing an increasing amount of
consumers’ personal information at risk.3 The Privacy Rights Clearinghouse
4
has recorded 4,599 data breaches made public since 2005.5 This list of data
breaches accounts for a staggering 858,403,517 breached records.6 Some
breaches have been as big as 200,000,000 records, in the case of Court
Ventures,7 and there have been several other breaches of tens—and even
hundreds—of millions of records.8
Despite the wave of massive breaches and legislative action on the part of
many states, there is no comprehensive federal law for data security and breach
notification.9 The private sector has also failed to take appropriate action in
response to the massive breaches.10
In a 2014 survey of 567 executives in the
United States, only 73% of them reported that his or her company had a plan in
place for data breaches.11
Pressure to pass legislation to solve these issues has come from several
branches of government. In the 2015 State of the Union address, President
Barack Obama said, “I urge this Congress to finally pass the legislation we
need to better meet the evolving threat of cyber attacks, combat identity theft,
and protect our children’s information. That should be a bipartisan effort. If
we don’t act, we’ll leave our nation and our economy vulnerable.”12
Federal
Trade Commission Chairwoman Edith Ramirez stated, “[n]ever has the need
1. See Chronology of Data Breaches: Security Breaches 2005 – Present, PRIVACY RIGHTS
CLEARINGHOUSE, http://www.privacyrights.org/data-breach (last visited Sept. 7, 2015) (showing 858,403,517
breached records since 2005).
2. Prepared Statement of the Federal Trade Commission on Privacy in the Digital Age: Preventing
Data Breaches and Combating Cybercrime Before the Comm. on the Judiciary, United States Senate, F.T.C
(Feb. 4, 2014) (statement of Edith Ramirez, Chairwoman of the Federal Trade Commission).
3. Id.
4. The Privacy Rights Clearinghouse is a non-profit corporation that raises consumer awareness of
privacy issues with technology and advocates for consumers’ privacy rights. About the Privacy Rights
Clearinghouse, PRIVACY RIGHTS CLEARINGHOUSE, https://www.privacyrights.org/content/about-privacy-
rights-clearinghouse (last visited Sept. 7, 2015).
5. PRIVACY RIGHTS CLEARINGHOUSE, supra note 1.
6. Id.
7. Grant Gross, State AGs Investigating Experian Subsidiary’s Data Breach, CIO (Apr. 3, 2014, 8:00
AM), http://www.cio.com/article/2377365/data-breach/state-ags-investigating-experian-subsidiary-s-data-
breach.html.
8. PRIVACY RIGHTS CLEARINGHOUSE, supra note 1.
9. At the federal level, there are merely industry-specific data security laws. Muricio F. Paez et al.,
U.S. Congress Ready to Enact Data Security and Breach Notification Rules After Recent Consumer Data
Breaches, JONES DAY (Feb. 2014), http://www.jonesday.com/us-congress-ready-to-enact-data-security-and-
breach-notification-rules-after-recent-consumer-data-breaches-02-14-2014.
10. See PONEMON INSTITUTE, IS YOUR COMPANY READY FOR A BIG DATA BREACH?: THE SECOND
ANNUAL STUDY ON DATA BREACH PREPAREDNESS 1 (Sept. 2014) (showing that 27% of companies surveyed
did not have a data breach response plan in place).
11. Id.
12. President Barack Obama, State of the Union Address (Jan. 20, 2015) in 156 CONG. REC. H415
(daily ed. Jan. 27, 2010).
No. 2] HACKING THE CURRENT SYSTEM 439
for [data security and breach notification] legislation been greater.”13
This Note contemplates the passage of a comprehensive breach
notification and data protection law, and it examines how Congress may gain
bipartisan support by navigating the delicate balance between data breach
regulation and privacy concerns. Part II provides a history of recent data
breaches in the United States, as well as legislative and executive action taken
to address the problems caused by breaches. Part II also examines state action
taken to address problems caused by data breaches. Part III analyzes the
potential effectiveness and viability of several recent bills proposed by
members of Congress that address the growing concern of data breaches, and it
identifies what prevented the bill from passing. Part IV recommends a
compromise by compiling useful sections of proposed legislation to create a
comprehensive bill that will allow a valuable breach notification and data
protection law to be passed while maintaining a high level of privacy.
II. BACKGROUND
In order to determine what legislation is needed, it is important to first
examine the problem. This section identifies the recent data breaches in the
United States, and it assesses what Congress and the President have done to
remedy the problem. It also examines what most states have done on their own
to address data breaches.
A. Data Breach History
The Privacy Rights Clearinghouse’s 4,599 reported data breaches since
2005 includes fifty-six breaches of over a million records.14
These breaches
have compromised the personal information of millions of customers and put
many Americans at risk of identity theft.15
The threat of future breaches is
causing Congress to move quickly to pass a federal breach notification and
data security law.16
In December 2013, Target became the victim of a data breach.17
The
Target hack affected tens of thousands of in-store credit card readers, which
thieves used to steal credit and debit card information from customers.18
The
damages from the breach were massive. The hack compromised approximately
forty million credit card and debit card accounts, and up to seventy million
people were victims of “additional stolen information.”19
Target admitted that
it missed warning signs prior to the attack, and it faced breach-related costs of
13. Ramirez, supra note 2.
14. PRIVACY RIGHTS CLEARINGHOUSE, supra note 1.
15. Paez et al., supra note 9.
16. Id.
17. Robin Sidel et al., Target Hit by Credit-Card Breach, WALL ST. J. (Dec. 19, 2013, 7:29 AM),
http://online.wsj.com/articles/SB10001424052702304773104579266743230242538.
18. Id.
19. Anthony Wing Kosner, Actually Two Attacks in One, Target Breach Affected 70 to 110 Million
Customers, FORBES (Jan. 17, 2014, 10:32 PM), http://www.forbes.com/sites/anthonykosner/2014/01/17/
actually-two-attacks-in-one-target-breach-affected-70-to-110-million-customers.
440 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
$148 million in the second quarter of 2014.20
Victims of the hack sued Target, and a federal judge in the United States
District Court for the District of Minnesota granted preliminary approval for a
ten million dollar settlement.21
The settlement would authorize individual
damage awards for as much as $10,000, but each customer would have to show
(1) they had unauthorized credit card charges, (2) they invested time dealing
with unauthorized charges, and (3) they incurred expenses replacing
identification, correcting their credit report, or obtaining identity protection.22
However, proving that a customer lost money due to a specific breach can be
difficult.23
In 2014, Home Depot also had a massive breach of its payment data
systems,24
and fifty-six million credit and debit cards were hacked over a five-
month period.25
After this attack, the hackers used stolen credit card numbers
to make fraudulent purchases across the United States, and some customers
had money drained from their accounts.26
Hackers have even taken advantage of the Apple Pay27
system to use
stolen credit card numbers from Target and Home Depot hacks.28
While the
Apple Pay system has not itself been compromised, the hackers have used the
system to buy items with stolen credit card information—the majority of these
fraudulent Apple Pay purchases were to buy high-priced items at Apple
stores.29
In August 2014, JP Morgan Chase fell victim to a cyber attack that
compromised its customers’ personal information, including names, addresses,
email addresses, phone numbers, and internal information.30
The attack
affected seventy-six million households and seven million small businesses.31
20. Rachel Abrams, Target Puts Data Breach Costs at $148 Million, and Forecasts Profit Drop, N.Y.
TIMES (Aug. 5, 2014), http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-
million.html.
21. Hiroko Tabuchi, $10 Million Settlement in Target Data Breach Gets Preliminary Approval, N.Y.
TIMES (Mar. 19, 2015), http://www.nytimes.com/2015/03/20/business/target-settlement-on-data-breach.html.
22. Id.
23. Id. (“Matthew A. S. Esworthy, litigation partner at Shapiro Sher Guinot & Sandler, said that many
customers would have trouble proving that they had lost money because of the breach.”).
24. Maggie McGrath, Home Depot Confirms Data Breach, Investigating Transactions from April
Onward, FORBES (Sept. 8, 2014), http://www.forbes.com/sites/maggiemcgrath/2014/09/08/home-depot-
confirms-data-breach-investigating-transactions-from-april-onward/.
25. Robin Sidel, Home Depot’s 56 Million Card Breach Bigger than Target’s, WALL ST. J. (Sept. 18,
2014), http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571.
26. Robin Sidel, Fraudulent Transactions Surface in Wake of Home Depot Breach, WALL ST. J. (Sept.
23, 2014), http://www.wsj.com/articles/fraudulent-transactions-surface-in-wake-of-home-depot-breach-
1411506081.
27. Apple Pay is a payment system that allows customers to pay for items at participating stores using
their iPhone instead of a physical debit or credit card. Apple Pay, APPLE, https://www.apple.com/apple-pay/
(last visited Sept. 8, 2015).
28. Robin Sidel & Daisuke Wakabayashi, Apple Pay Stung by Low-Tech Fraudsters, WALL ST. J.
(Mar. 5, 2015), http://www.wsj.com/articles/apple-pay-stung-bylow-techfraudsters-1425603036.
29. Id. (noting that 80% of the fraudulent purchases were made in Apple stores to buy “big ticket
items”).
30. Maggie McGrath, JP Morgan Says 76 Million Households Affected by Data Breach, FORBES
(Oct. 2, 2014), http://www.forbes.com/sites/maggiemcgrath/2014/10/02/jp-morgan-says-76-million-
households-affected-by-data-breach.
31. Id.
No. 2] HACKING THE CURRENT SYSTEM 441
In the past few years, several other substantial breaches have occurred,
including eBay,32
Jimmy John’s,33
and Adobe Systems,34
and it is unclear how
many people these immense breaches affected.
Anthem, one of the largest health insurance companies in the United
States, is also a recent victim of a data breach.35
The Anthem hackers accessed
Eighty million customers’ records, including their birthdays, addresses, and
social security numbers.36
Anthem revealed the attack only days after it was
discovered, which is not typical for organizations after experiencing a breach.37
Anthem planned to notify affected customers by email, if possible, and by
mail.38
Millions of records per year continue to be exposed by hackers, and the
high-profile breaches mentioned are only a fraction of the total breaches.39
The prevalence of data breaches and the wide range of targets puts most
people’s data at risk—credit card numbers and other information may be stolen
when a customer uses a credit card at a store, and their personal information
can also be taken from an online database.40
These security risks have pushed
states to take action, and the President and Congress have also responded.
B. State Action Concerning Data Breaches
States have been the first to act regarding data breaches, and nearly all of
them have passed data breach legislation.41
State action is only increasing—
thirty-two states have introduced or are considering data breach laws,42
compared to twenty-three states that introduced or considered data breach laws
in 2014.43
In 2003, California was the first state to require businesses and state
32. Gordon Kelly, eBay Suffers Massive Security Breach, All Users Must Change Their Passwords,
FORBES (May 21, 2014), http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-
breach-all-users-must-their-change-passwords.
33. Josh Beckerman, Sandwich Chain Jimmy John’s Reports Data Breach, WALL ST. J. (Sept. 24,
2014), http://online.wsj.com/articles/sandwich-chain-jimmy-johns-reports-data-breach-1411588555.
34. Jim Finkle, Trove of Adobe User Data Found on Web after Breach: Security Firm, REUTERS (Nov.
7, 2013), http://www.reuters.com/article/2013/11/07/us-adobe-cyberattack-idUSBRE9A61D220131107.
35. Anna Wilde Matthews & Danny Yadron, Health Insurer Anthem Hit by Hackers, WALL ST. J. (Feb.
4, 2015), http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720.
36. Id.
37. Id.
38. Id.
39. PRIVACY RIGHTS CLEARINGHOUSE, supra note 1.
40. See Sidel, supra note 25 (showing a breach that utilized credit card terminals); See Matthews &
Yadron, supra note 35 (showing a breach that utilized online health information).
41. Security Breach Notification Laws, NAT’L CONFERENCE OF STATE LEGISLATURES. (Jan. 12, 2015),
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-
laws.aspx.
42. See 2015 Security Breach Legislation, NAT’L CONFERENCE OF STATE LEGISLATURES (June 11,
2015), http://www.ncsl.org/research/telecommunications-and-information-technology/2015-security-breach-
legislation.aspx (listing the various states and bills in those states concerning data breaches and security).
43. See 2014 Security Breach Legislation, NAT’L CONFERENCE OF STATE LEGISLATURES (Dec. 23,
2014), http://www.ncsl.org/research/telecommunications-and-information-technology/2014-security-breach-
legislation.aspx (listing the states that had proposed or finalized legislation on data breaches in 2014).
442 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
agencies to notify customers if a data breach included personal information.44
Forty-seven out of fifty states have enacted a law that requires consumers to be
notified when personal information is part of a breach.45
Alabama and New
Mexico, two of the three states that do not have this notification requirement,
both have introduced breach notification bills.46
Many states have also proposed additional legislation to help prevent data
breaches in the future.47
Individual state action has led to a wide array of laws
from state to state, particularly in the area of breach notification
requirements.48
This lack of uniformity can cause companies to expend
resources on complying with up to fifty different breach notification laws
instead of using those resources to remedy the breach.49
Many of these state
laws regulate the same areas,50
but the inconsistencies may cause a problem.
Most states allow for substitute notice of a breach if the breach affects a
certain number of people.51
In other words, if a data breach is large enough,
the company is not required by law to contact individuals directly, and they
can simply post a notice on their own website.52
If a company posts the notice
to its website, many people are unlikely to see it. The threshold for substitute
notice varies from state to state.53
The lack of uniformity between state breach notification laws has led
many, including former Attorney General Eric Holder, to call for a federal
standard concerning breaches.54
This view got bipartisan support, but there
remains disagreement as to whether a federal breach notification law should
preempt state breach notification law.55
44. Kamala D. Haris, California Data Breach Report, STATE OF CAL. DEP’T OF JUSTICE OFFICE OF GEN.
COUNSEL (Oct. 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf.
45. 2014 Security Breach Legislation, supra note 43 (Alabama, New Mexico, and South Dakota are
currently the only states that do not have this type of breach notification law).
46. See 2015 Security Breach Legislation, supra note 42.
47. 2014 Security Breach Legislation, supra note 43.
48. See generally Michael Keller, Holiday Shopping? How Much do Data Breach Notification Laws
Protect?, AL JAZEERA AM. (Dec. 1, 2014), http://america.aljazeera.com/multimedia/2014/12/to-catch-a-
breachhowmuchdodatabreachnotificationlawsprotect.html (discussing the differences in amount of protection
given to different types of data in different states).
49. Stephen E. Schatz, Retailers Support Passage of Federal Data Breach Notification Legislation,
NAT’L RETAIL FED’N (Feb. 5, 2015), https://nrf.com/media/press-releases/retailers-support-passage-of-federal-
data-breach-notification-legislation.
50. Security Breach Notification Laws, supra note 41 (stating that security breach laws typically (1)
define covered businesses, (2) define “personal information,” (3) describe what constitutes a breach, (4) give
requirements for notice following a breach, and (5) give exemptions).
51. Keller, supra note 48.
52. Id; see, e.g., Customer Update on Data Breach, THE HOME DEPOT, https://corporate.
homedepot.com/mediacenter/pages/statement1.aspx (last visited Sept. 8, 2015) (updating customers of a
previous data breach through a posting on their website).
53. Keller, supra note 48.
54. Id.
55. See Jonathan Randles, Retail Groups Want Data Breach Law with Broad Preemption, LAW 360
(Jan. 27, 2015, 3:49 PM), http://www.law360.com/articles/615404/retail-groups-want-data-breach-law-with-
broad-preemption (discussing the ability for a federal data breach law to preempt state law and the support for
and against it on both sides).
No. 2] HACKING THE CURRENT SYSTEM 443
C. Executive Order
On February 12, 2013, President Barack Obama signed an executive
order to improve critical infrastructure cybersecurity.56
This executive order
called for information sharing, a hallmark of recent data security bills, and a
“voluntary critical infrastructure cybersecurity program.”57
The executive
order led the National Institute of Standards and Technology to develop a
cybersecurity framework.58
Two years later, President Obama followed with
another executive order that promoted the creation of Information Sharing and
Analysis Organizations to collaborate and respond to cyber threats.59
The U.S. Chamber of Commerce, among others, strongly opposed the
imposition of private sector cybersecurity standards.60
Stewart Baker, a
partner at Steptoe & Johnson LLP, stated that despite the voluntary nature of
Executive Order 13636, failure to comply could potentially be used to show
negligence if a company was sued.61
Concerns such as this one demonstrate
why it is difficult for Congress to get the bi-partisan support needed to pass
data security and breach notification laws.
D. Federal Legislative Action Concerning Data Breaches
Congress has passed data privacy and notification laws for specific
industries, despite there being a lack of comprehensive legislation regarding
data protection.62
For example, the Gramm-Leach-Bliley Act regulates
financial institutions, and it allows government agencies to establish standards
in order to protect against security threats.63
The Gramm-Leach-Bliley Act has
even provided the framework for other bills that seek to address the same
issue, but focus on all industries.64
The Heath Insurance Portability and Accountability Act establishes
similar standards,65
but in the realm of the healthcare industry. 66
It covers the
56. See Exec. Order 13636, 78 Fed. Reg. 11739 (2013) (ordering that the United States improve critical
infrastructure in relations to data breaches and cybersecurity).
57. Id.
58. NAT’L INST. OF STANDARDS AND TECH., FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE
CYBERSECURITY (2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-
final.pdf (describing the framework of the NIST’s plan to improve cybersecurity infrastructure at the federal
level).
59. See Exec. Order 13691, 80 Fed. Reg. 9349 (2015) (promoting the open sharing of cybersecurity
related information between private entities).
60. Alexei Alexis, President Obama Signs Executive Order on Cybersecurity, Seeks Voluntary
Standards, BLOOMBERG BNA (Feb. 18, 2013), http://www.bna.com/president-obama-signs-n17179872423/.
61. Id.
62. Steven G. Gersten, Richard J. Johnson & Muricio F. Paez, U.S. Congress Ready to Enact Data
Security and Breach Notification Rules After Recent Consumer Data Breaches, JONES DAY (Feb. 2014),
http://www.jonesday.com/us-congress-ready-to-enact-data-security-and-breach-notification-rules-after-recent-
consumer-data-breaches-02-14-2014.
63. Gramm-Leach-Bliley Act, 15 U.S.C. § 6801(b) (2012).
64. See FINANCIAL PRIVACY LAW GUIDE LETTER NO. 152 ISSUE NO. 288, 2014 WL 1872689 (“[Roy]
Blunt stated that The Data Security Act of 2014 is modeled after the data security and breach-response regime
established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations.”).
65. 45 C.F.R. §§ 164.400–414 (2015).
66. 45 C.F.R. § 164.400 (2015).
444 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
area of health information, and it sets standards to notify the individual, the
media, and the Secretary of Health and Human Services.67
Amid the calls for a national standard to legislate this area of need,68
several Senators introduced bills in the last Congress related to the issues of
cybersecurity and data privacy: The Cybersecurity Enhancement Act of
2014,69
the Cybersecurity Information Sharing Act of 2014,70
the Personal
Data Privacy and Security Act of 2014,71
the Data Security Act of 2014,72
the
Data Security and Breach Notification Act of 2014,73
and the Personal Data
Protection and Breach Accountability Act of 2014.74
Each bill addresses key
areas that are desperately in need of a clear statement from Congress, such as
uniform standard setting data breach notification requirements. Many of the
bills address similar issues, and there are only a few issues that divide
Republicans and Democrats.
Recently, Congress has shown urgency to pass a breach notification law,
and President Barack Obama has proposed the Personal Data Notification and
Protection Act.75
By combining portions of the bills proposed in the last
Congress, it is possible to construct a viable data breach notification and data
security law that can create a uniform standard across the country and
adequately protect consumers.
E. Recent Action
At the start of the year, President Obama proposed his own solution to the
data breach question by introducing the Personal Data Notification and
Protection Act.76
One of the focuses of this law is to set a thirty-day standard
for notification after a breach.77
In response to this bill, there remains a
disagreement as to whether a federal standard should preempt state law.78
Former chairman of the Federal Trade Commission, Jon Leibowitz, noted the
challenges presented by forty-eight separate state laws, but a representative of
the Electronic Privacy Information Center, Marc Rotenberg, stated that a
67. 45 C.F.R. §§ 164.400–414 (2015).
68. Grant Gross, Obama Calls for Data Breach Notification Law, Privacy Bill of Rights, PC WORLD
(Jan. 12, 2015, 12:16 PM), http://www.pcworld.com/article/2867872/obama-calls-for-data-breach-notification-
law-privacy-bill-of-rights.html; Schatz, supra note 49.
69. Cybersecurity Enhancement Act of 2014, Pub. L. No. 113-274, 128 Stat. 2971 (2014).
70. Cybersecurity Information Sharing Act of 2014, S. 2588, 113th Cong. (2014), https://www.
congress.gov/bill/113th-congress/senate-bill/2588/text.
71. Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014), https://www.
congress.gov/bill/113th-congress/senate-bill/1897/text.
72. Data Security Act of 2014, S. 1927, 113th Cong. (2014), https://www.congress.gov/bill/113th-
congress/senate-bill/1927/text.
73. Data Security and Breach Notification Act of 2014, S. 1976, 113th Cong. (2014), https://www.
congress.gov/bill/113th-congress/senate-bill/1976/text.
74. Personal Data Protection and Breach Accountability Act of 2014, S. 1995, 113th Cong. (2014),
https://www.congress.gov/bill/113th-congress/senate-bill/1995/text.
75. Michael D. Shear & Natasha Singer, Obama to Call for Laws Covering Data Hacking and Student
Privacy, N.Y. TIMES (Jan. 11, 2015), http://www.nytimes.com/2015/01/12/us/politics/obama-to-call-for-laws-
covering-data-hacking-and-student-privacy.html.
76. Id.
77. Id.
78. Id.
No. 2] HACKING THE CURRENT SYSTEM 445
preemptive federal standard would prevent states from making their own laws
requiring a quicker notification after a breach.79
Following the Anthem breach, the U.S. Senate’s Subcommittee on
Consumer Protection, Product Safety, Insurance, and Data Security80
held a
hearing to discuss data breach legislation.81
In this hearing, the panelists
discussed state law preemption, breach notification procedures and standards,
and data security measures.82
During the hearing, it was clear that, despite the
support for a breach notification and data security bill, there was a strong
disagreement regarding the specific factors.83
On the topic of preemption
alone, some called for an expansive preemption, while some called for a
narrow preemption.84
Others said that the best option was to have no
preemption at all.85
Further, the parties could not agree under what
circumstances notice of a breach should be given.86
The disagreement at this
hearing was a reminder of the barriers faced in passing comprehensive data
breach notification and data security—even though everyone may agree that
there is a need for immediate legislation.87
The patchwork state legislation and numerous bills introduced in
Congress show how difficult it is to agree on breach notification and data
security measures. There is likely an agreement that the United States needs a
data breach law, but that does not mean that one will be passed.88
The problem
may also come from a surplus of Congressional committees claiming
jurisdiction and trying to tackle the issue89
—resulting in too many different
bills.90
Examining the failed bills of the 113th Congress—and one of the
“successes”—is the start of determining a solution to this problem.
III. ANALYSIS
In order to come up with the best solution, it is important to examine and
assess the bills that have been introduced on the topics of data security and
breach notification. Then it is possible to use sections from these proposed
bills in order to protect the consumer and create a reasonable standard to set for
businesses. This section contains an analysis of selected bills proposed in the
79. Id.
80. U.S. Senate Committee on Commerce, Science & Transportation, SENATE.GOV,
http://www.commerce.senate.gov/public/index.cfm?p=ConsumerProtectionProductSafetyandInsurance (this
subcommittee is part of the U.S. Senate Committee on Commerce, Science & Transportation).
81. Memorandum from the Republican Comm. Staff, to Members of the S. Comm. on Commerce, Sci.,
and Transp. (Feb. 3, 2015) (Subcommittee hearing on “Getting it Right on Data Security and Breach
Notification Legislation”).
82. Id.
83. Id.
84. Id.
85. Id.
86. Id.
87. Id.
88. Eric Chabrow, Why U.S. Breach Notice Bill Won’t Pass, BANK INFO. SEC. (Jan. 14, 2014),
http://www.bankinfosecurity.com/blogs/us-breach-notice-bill-wont-pass-p-1602/op-1.
89. Id.
90. Id.
446 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
113th Congress. It points out the areas of agreement, and the areas that kept all
but one of the bills from passing.
A. Bills of the 113th
Congress
Examining the proposed bills gives a baseline for potential legislation.
The bills below highlight the differing opinions on data breach strategy, each
important in creating a workable solution.
1. Cybersecurity Act of 2013 (enacted as the Cybersecurity Enhancement
Act of 2014)
Jay Rockefeller91
sponsored the Cybersecurity Act of 2013, a bill that
addressed cybersecurity issues by facilitating the development of voluntary
standards to combat cybersecurity threats.92
This bill, renamed the
Cybersecurity Enhancement Act of 2014, passed the House and Senate on
December 11, 2014, and it was signed into law one week later.93
The Cybersecurity Enhancement Act of 2014 gives the National Institute
of Standards and Technology power to guide the development of a “voluntary,
industry-led set of standards . . . to cost-effectively reduce cyber risks to
critical infrastructure.”94
It received bipartisan support, partially because it
avoids regulatory issues that doom other similar bills.95
The Cybersecurity
Enhancement Act of 2014 does not give any regulatory authority to federal or
state agencies—and this has been enough to gain support from many different
places, including the U.S. Chamber of Commerce, AT&T, Verizon, IBM, and
Symantec.96
Given the lack of regulatory authority in the bill, the standards
and best practices developed would be entirely voluntary.97
Opponents might
note this lack of regulatory authority would prevent any real oversight or
meaningful change in the behavior of businesses—how can the government
ensure that companies are taking appropriate measures to protect consumer
data if there is no ability to regulate in the area?
Rather than focusing on establishing reactive measures, this act takes a
proactive approach that looks much further ahead of other bills addressing this
area of law.98
It establishes cybersecurity competitions and scholarships to
91. Senator John D. Rockefeller IV, CONGRESS.GOV, https://www.congress.gov/member/jay-
rockefeller/R000361 (Jay Rockefeller was a Democratic Senator from West Virginia from 1985–2015).
92. Cybersecurity Enhancement Act of 2014, S. 1353, 113th Cong. (2014), https://www.congress.gov/
bill/113th-congress/senate-bill/1353.
93. Major Actions: S. 1353 – 113th Congress (2013–2014), CONGRESS.GOV, https://www.congress.gov/
bill/113th-congress/senate-bill/1353/actions [hereinafter Major Actions].
94. Cybersecurity Enhancement Act of 2014, S. 1353, 113th Cong. § 101(a)(2) (2014).
95. Shaun Waterman, Senators Pushing Business-Backed Cybersecurity Bill, WASH. TIMES (July 30,
2013), http://www.washingtontimes.com/news/2013/jul/30/senators-pushing-business-backed-cybersecurity-
bil/.
96. Featured Legislation: The Cybersecurity Act of 2013, U.S. SENATE COMM. ON COMMERCE, SCI., &
TRANSP. (July 24, 2013), http://www.commerce.senate.gov/public/index.cfm?p=Legislation&ContentRecord_
id=6f4da480-5cd6-4c1e-a2cd-122c621d6a88.
97. Chabrow, supra note 88.
98. See Cybersecurity Enhancement Act of 2014, Pub. L. No. 113-274, 128 Stat. 2971 (2014)
(establishing competitions and scholarships to prepare the next generation for dealing with cybersecurity
No. 2] HACKING THE CURRENT SYSTEM 447
help prepare the next generation to address cybersecurity related issues.99
It
also sets a plan for the research and development of a “strategic plan” related
to the cybersecurity risk.100
It is difficult to believe that Congress would not be
supportive of including this section in a cybersecurity bill, because it is
separate from the partisan issues that impede cybersecurity legislation.
Given the bipartisan support of the Cybersecurity Enhancement Act of
2014, it was able to become law.101
Unfortunately, in order to gain bipartisan
support, the bill left out key sections that could potentially have an even
greater effect on data security—for example, a comprehensive data-sharing
plan that would facilitate the cooperation between companies and the
government to combat breaches (like that included in the Cybersecurity
Information Sharing Act of 2014102
). The lack of contentious issues included
in the Cybersecurity Act of 2013 is an example of the compromise needed to
gain bipartisan support for a cybersecurity bill.
The Cybersecurity Enhancement Act of 2014 was the only bill examined
in this Note to be passed. Even with bipartisan support for the bill, it took until
the last month of Congress’ session to approve this step towards better
cybersecurity.103
2. Cybersecurity Information Sharing Act of 2014
Senate Intelligence Committee Chairwoman Dianne Feinstein104
sponsored the Cybersecurity Information Sharing Act of 2014. This bill hoped
to encourage data sharing among companies and between the government and
companies.105
This bill would have allowed private entities to monitor, for
cybersecurity purposes, the following information systems: (1) the entity’s
own systems, (2) another entity’s system with written consent, or (3) a Federal
entity with its consent.106
To encourage participation in the data-sharing plan,
the Act provided liability protection to the participating entities—there would
be no cause of action for monitoring information systems or sharing threat
indicators, if conducted in accordance with the Act.107
An entity would also be
protected as long as it relied in good faith that its action was permitted by the
Act.108
This blanket protection from liability may have caused more harm than
issues).
99. Id.
100. Id.
101. Id.
102. See infra section III (B)(2) (describing the data-sharing plan between government entities included
in the Cybersecurity Information Sharing Act of 2014).
103. See Major Actions, supra note 93 (showing history of the act, including date of passage on Dec. 11,
2014).
104. Cybersecurity Information Sharing Act of 2014, S. 2588, 113th Cong. (2014), https://www.
congress.gov/bill/113th-congress/senate-bill/2588/actions.
105. See id., at § 3 (describing the Act’s goal of encouraging information sharing between companies
and the Federal Government).
106. Id. at § 4.
107. See id. § 6 (prohibiting causes of action against entities for sharing cyber threat indicators or
monitoring information systems).
108. Id.
448 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
good,109
and it also may have kept that section of the bill from becoming law.
The bill gave immunity to companies that share data, which could have
potentially made it very difficult for people to seek legal remedies from
companies.110
The bill’s sponsors believed that legal protections were needed
to facilitate the sharing of information,111
but civil liberties advocates were
concerned about the potential empowerment of the NSA.112
The Cybersecurity Information Sharing Act of 2014 was met with strong
opposition from privacy experts.113
Some noted that by allowing voluntary
sharing of information for cybersecurity purposes, the government might have
a way around the protections of the Electronic Communications Privacy Act.114
The use of the language “[n]otwithstanding any other provision of law” under
the authorization for monitoring and the authorization for sharing cybersecurity
threat indicators was particularly troublesome.115
The privacy advocates’ fear
was that the broad definition of “cybersecurity information” could allow the
government to get a wide variety of information from private entities and even
allow the government to use that gathered personal information in criminal
proceedings.116
Privacy advocates gave some of the biggest critiques of this bill—they
were weary of the problems that could arise after sharing information with the
government, given the power of the NSA and other government agencies.117
The leak by Edward Snowden118
has made the United States very skeptical of
government information gathering practices, meaning people are much less
willing to trust their personal information in the hands of the government,
particularly the NSA.119
The wording of this bill allowed for data to be used
for purposes unrelated to the original cyber-threat, which worried privacy
109. Sandra Fulton, Beware the Dangers of Congress’ Latest Cybersecurity Bill, AM. CIVIL LIBERTIES
UNION (June 27, 2014), https://www.aclu.org/blog/beware-dangers-congress-latest-cybersecurity-bill (“While
we hope many companies would jealously guard their customers’ information, there is a provision in the bill
that would excuse sharers from any liability if they act in “good faith” that the sharing was lawful.”).
110. Eric Niang, Senate Panel Approves Cybersecurity Data Sharing Bill, CQ ROLL CALL (July 9, 2014),
2014 WL 3337435.
111. Gregory C. McNeal, Movement on Cybersecurity Legislation Likely After Election, FORBES (Dec.
31, 2014), http://www.forbes.com/sites/gregorymcneal/2014/10/31/movement-on-cybersecurity-legislation-
likely-after-election/.
112. Id.
113. See M.G., Once More Unto the Breaches, THE ECONOMIST (July 10, 2014) (describing privacy
groups’ opposition to cyber-security legislation), http://www.economist.com/blogs/democracyinamerica/2014/
07/cyber-security-and-nsa; see also Niang, supra note 110 (describing privacy advocates’ opposition to cyber-
security legislation).
114. Fulton, supra note 109.
115. S. 2588, at § 4.
116. Id.
117. See M.G., supra note 113 (describing public weariness of sharing information with the
government).
118. Edward Snowden is a former United States defense contractor with Booz Allen Hamilton who
released numerous top-secret documents related to the National Security Agency’s surveillance programs.
Glenn Greenwald, Ewen MacAskill & Laura Poitras, Edward Snowden: the Whistleblower Behind the NSA
Surveillance Revelations, THE GUARDIAN (June 11, 2013), http://www.theguardian.com/world/2013/jun/09/
edward-snowden-nsa-whistleblower-surveillance.
119. See generally Edward Snowden: Leaks that Exposed US Spy Programme, BBC (Jan. 17, 2014),
http://www.bbc.com/news/world-us-canada-23123964 (describing the breadth of Federal Government
surveillance operations).
No. 2] HACKING THE CURRENT SYSTEM 449
advocates.120
Further, the Act also exempted the cybersecurity sharing
programs from transparency programs like the Freedom of Information Act
and state “sunshine laws.”121
This transparency exemption prevented citizens
from keeping a check on this government data-sharing program and ensuring
that it would not abuse its power.122
This provision, along with the lack of
trust in the United States’ government, was likely to make many Americans
uneasy about this bill.
3. Personal Data Privacy and Security Act of 2014123
Senator Patrick Leahy124
has introduced the Personal Data Privacy and
Security Act in every Congress since 2005.125
Following the recent
breaches,126
he introduced the bill again in 2014.127
The bill aimed to increase
punishments for violations of data privacy and subjected many business
entities to a security program.128
The bill also gave businesses and federal
agencies a sixty-day timeline to disclose breaches to individuals whose
personally identifiable information had been compromised.129
This bill’s
timeline was the same as the timeline used by the Health Insurance Portability
and Accountability Act.130
Several states that have legislated on the
notification timeline, including Florida, Ohio, Vermont, and Wisconsin have
set stricter standards for notice.131
This Act called for increased punishments for identity theft and for willful
concealment of breaches.132
It also set a standard for data privacy and security
programs.133
There was no private cause of action against a business for a
violation of this Act.134
Despite the well-understood need of data breach laws,
the strong disagreement in Congress made this bill unlikely to become law
during the 113th Congress.135
120. See M.G., supra note 113 (noting public concern that information about cyber-threats would be
used for other purposes).
121. Fulton, supra note 109, at 3.
122. Id.
123. Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014).
124. U.S. Senator Patrick Leahy of Vermont, SENATE.GOV, http://www.leahy.senate.gov/biography (last
visited Sept. 6, 2015).
125. Chabrow, supra note 88.
126. Tom Risen, Sen. Patrick Leahy Introduces Data Privacy Bill in Wake of Target Breach, U.S. NEWS
(Jan. 8, 2014), http://www.usnews.com/news/articles/2014/01/08/sen-patrick-leahy-introduces-data-privacy-
bill-in-wake-of-target-breach.
127. Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014).
128. Id.
129. Id. at § 211(c); Chabrow, supra note 88.
130. Health Insurance Portability and Accountability Act, 45 C.F.R. §§ 164.400–414.
131. Data Breach Charts, BAKERHOSTETLER (2015), http://www.bakerlaw.com/files/Uploads/
Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf (last visited Sept. 8, 2015).
132. Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014).
133. Id.
134. Id.
135. See Chabrow, supra note 88.
450 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
4. Data Security Act of 2014
Republican Senator Tom Carper136
proposed the Data Security Act of
2014.137
This bill was modeled after the breach standards outlined in the
Gramm-Leach-Bliley Act,138
and its purpose was to require notice after
security breaches and to facilitate the protection of private information.139
The
bill left much of the security procedures up to the companies; in the description
of the security procedures required, this bill required “reasonable policies and
procedures” to protect data security.140
This bill did not give a private right of action for regulations under the
act, and it went even further to say that individuals did not have a private right
of action in state court for something that is regulated under this act.141
The
Data Security Act of 2014 relied on administrative enforcement of the
provisions, and it did so at the expense of private rights of action against
companies in violation of the Act.142
This point, in particular, caused
significant pushback regarding this bill because it would leave many
individuals without remedies in state court even if hackers and companies
violated state law—and it would have prevented individuals from pursuing
class-action lawsuits.143
This bill would have taken away existing state law
rights from the consumer—it prevented pursuing certain state law causes of
action.144
It seems contradictory to take away state law rights in a bill that is
intending to protect information relating to customers.
5. Data Security and Breach Notification Act of 2014
The Data Security and Breach Notification Act of 2014, another bill
introduced by Senator Jay Rockefeller, required companies to adopt reasonable
procedures to protect personal information.145
This Act would have given the
Federal Trade Commission the power to set security standards for entities
possessing personal information.146
The Act would have also set a strict
notification standard—it would have required notification to affected
individuals within thirty days of discovery of the breach unless that was not
feasible.147
The Act would have also given the Federal Trade Commission the
power to determine the circumstances in which substitute notification would be
136. Tom Carper: U.S. Senator for Delaware, SENATE.GOV, http://www.carper.senate.gov/public/
index.cfm/about?p=biography-and-pictures (last visited Sept. 8, 2015).
137. Data Security Act of 2014, S. 1927, 113th Cong. (2014).
138. Financial Privacy Law Guide Letter No. 152 Issue No. 288, FIN. PRIVACY LAW GUIDE, 2014
WL 1872689 (2014).
139. Data Security Act of 2014, S. 1927, 113th Cong. (2014).
140. Id. at § 3(a)(1).
141. Id. at § 5(c).
142. Id.
143. Chris Dimarco, Data Security Act of 2014 Could Stitch Together Patchwork of Current
Regulations, INSIDE COUNSEL (Jan. 22, 2014), http://www.insidecounsel.com/2014/01/22/data-security-act-of-
2014-could-stitch-together-pa.
144. Id.
145. Data Security and Breach Notification Act of 2014, S. 1976, 113th Cong. (2014).
146. Id. at § 2(a).
147. Id. at § 3(c).
No. 2] HACKING THE CURRENT SYSTEM 451
allowed instead of direct notification.148
This bill was in conflict with Republican proposed legislation, primarily
because it gave the Federal Trade Commission the power to set standards
regarding data security.149
Republicans wanted to merely redefine the Federal
Trade Commission’s enforcement powers—against companies who failed to
take reasonable steps to protect personal data—without giving it any additional
power to set standards for data security.150
This contentious issue made the
Data Security and Breach Notification Act of 2014 difficult to pass if the final
version included giving regulatory power to the Federal Trade Commission.151
Given the conflicting nature of the Democratic and Republican proposed bills,
it would have been difficult for either to get bipartisan support.
A useful but most likely controversial section of this law criminalized the
concealment of breaches, and it gave the Unites States Secret Service and the
Federal Bureau of Investigation the power to enforce it.152
A section for the
criminalization of concealment was a very hard stance, but it would have sent a
strong message to anyone thinking of trying to keep a breach a secret. In order
for the concealment of a breach to be punished by the Secret Service or the
Federal Bureau of Investigation, it must have be intentional and willful, and it
must have led to economic harm of at least $1000 to an individual.153
The
standard of intentional and willful was a relatively high bar for a criminal
charge, especially when talking about the theft of basic personal information,
the value of which could be below $1000.
Similar to other bills, this Act would have preempted state laws
concerning security procedures and breach notification.154
Even so, with fifty
different methods of regulating breach notification, a uniform standard would
have allowed for a clear and comprehensive measure for standards to be set.
Senator Thune, the backer of the conflicting Republican bill, even agreed with
the need for a uniform standard.155
This shows there is bipartisan agreement
that this type of law needs to be passed156
—this small agreement, along with
some compromise between the two parties, could be what prompts Congress to
eventually adopt a data security and breach notification law.
6. Personal Data Protection and Breach Accountability Act of 2014
In February 2014, Senator Richard Blumenthal157
introduced the Personal
148. Id. at § 3(d)(2)(A).
149. Alexei Alexis, Data Security Outlook Remains Uncertain Despite Flurry of Bills, BLOOMBERG
BNA (Apr. 22, 2014), http://www.bna.com/data-security-outlook-n17179889758; see Data Security and
Breach Notification Act of 2013, S. 1193, 113th Cong. (2013) (requiring data collecting entities to notify
individuals in case of breach without allowing the Federal Trade Commission to set standards).
150. Alexis, supra note 149.
151. See id. (citing lack of support from Republicans and the Chamber of Commerce to giving the
Federal Trade Commission rulemaking authority).
152. S. 1976, § 5(f).
153. Id.
154. Id. at § 7.
155. Alexis, supra note 149.
156. Id.
157. About Senator Blumenthal, SENATE.GOV, (Sept. 8, 2015), http://www.blumenthal.senate.gov/
452 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
Data Protection and Breach Accountability Act of 2014 to the Senate.158
This
bill set a series of safeguards for all business entities to follow in their data
privacy programs,159
and it created “stringent” penalties for companies that did
not properly protect personal information or timely notify customers of a
breach of their information.160
Similar to the Data Security and Breach Notification Act of 2014, the
Personal Data Protection and Breach Accountability Act of 2014 specifically
authorized punishment for intentional or willful concealment of a data breach
of personal information.161
The Personal Data Protection and Breach
Accountability Act of 2014 did not have a dollar amount requirement for the
willful concealment of a data breach, and it only required economic harm or
“substantial emotional distress” to at least one person.162
The lack of a dollar
amount made a large difference in the enforceability of this Act because it did
not require an individual to prove how much their stolen personal information
was worth to them.
The Act allowed many different stakeholders to enforce a violation of the
Act, including the Attorney General of the United States, state Attorneys
General, or individuals in a civil action.163
Unlike other bills that prevented
private causes of action,164
this Act would have allowed individuals to bring
suit against business entities and seek damages up to $20,000,000 as well as
punitive damages for willful or intentional violation.165
These punishments
were sure to get the attention of all people involved, and it would have most
likely strongly discouraged behavior in violation of this Act.
Going further to protect individuals, the bill outlined remedies following
a breach; these remedies include free credit monitoring services, a security
freeze on the individual’s credit report, and a reimbursement of costs resulting
from the breach, including costs resulting from identity theft.166
It even
required the business to notify credit-reporting agencies if the breach resulted
in the required notification of more than 5,000 people.167
In relation to the security breach notification procedures, this Act would
not have exempted companies from liability under state laws—it would only
have added further protection under federal law.168
This bill was consumer
friendly, and it provided the most for individuals who would be negatively
affected by a data breach. Given the consumer focus of the Personal Data
biography.
158. Personal Data Protection and Breach Accountability Act of 2014, S. 1995, 113th Cong. (2014).
159. Id. at § 202.
160. Erica Teichert, Senate Bill Would Punish Cos. For Lax Data Security, LAW 360 (Feb. 4, 2014, 9:12
PM), http://www.law360.com/articles/507053/senate-bill-would-punish-cos-for-lax-data-security.
161. S. 1995, § 101.
162. Id.
163. Id. at §§ 203–05, 218–20.
164. See Personal Data Privacy and Security Act of 2014, S. 1897, 113th Cong. (2014) (preventing
private causes of action).
165. S. 1995, §§ 205, 220.
166. Id. at § 215.
167. Id. at § 216.
168. Id. at § 221(b)(1).
No. 2] HACKING THE CURRENT SYSTEM 453
Protection and Breach Accountability Act of 2014, there would likely be
opposition from business-focused organizations, which would have to bear
most of the burden of the proposed legislation. This bill did not pass, and it
died with the adjournment of the 113th Congress169
—however, it may be used
as an example for future bills directed towards a high level of consumer
protection.
B. Recent Action
Since the adjournment of the 113th Congress, there has been quick action
to address data security and breach notification concerns in the new year—this
has come by way of a proposal by President Obama and a new bill introduced
in Congress.
1. Personal Data Notification & Protection Act
On January 12, 2015, President Obama proposed the Personal Data
Notification & Protection Act.170
President Obama proposed this in addition to
several other measures aimed at promoting data security and privacy, including
the “Consumer Privacy Bill of Rights,” a “Voluntary Code of Conduct for
Smart Grid Customer Data Privacy,” and the “Student Digital Privacy Act.”171
President Obama received support from both Democratic and Republican
Congressmen following his proposals.172
The breach notification law has been
considered for over ten years, and the Consumer Privacy Bill of Rights has
been considered for three years.173
The Personal Data Notification & Protection Act contains similar parts of
other bills, but it applies to a wider group of personal information than those
bills.174
The protected “sensitive personally identifiable information” includes:
(1) first and last name in combination with several different elements, (2) a
government-issued identification number, including a social security number
or driver’s license number, (3) biometric data including fingerprints or voice
prints, (4) unique account identifiers, and (5) a username in combination with a
password or security question.175
It also allows a combination of different
information to meet the standard, and it allows the Federal Trade Commission
to amend the definition of “sensitive personally identifiable information.”176
169. S. 1995 (113th): Pers. Data Prot. & Breach Accountability Act of 2014, GOVTRACK.US,
https://www.govtrack.us/congress/bills/113/s1995 (last visited Sept. 9, 2015).
170. Jeff Kosseff, Analysis of White House Data Breach Notification Bill, NAT’L L. REV. (Jan. 15, 2015)
[hereinafter Kosseff], http://www.natlawreview.com/article/analysis-white-house-data-breach-notification-bill.
171. Press Release, Office of the Press Secretary, The White House, FACT SHEET: Safeguarding
American Consumers & Families, (Jan. 12, 2015), http://www.whitehouse.gov/the-press-office/2015/01/12/
fact-sheet-safeguarding-american-consumers-families.
172. Cheryl Bolen, Obama Revives Data Breach Notice, Consumer Privacy, Security Proposals,
BLOOMBERG BNA (Jan. 16, 2015) [hereinafter Bolen], http://www.bna.com/obama-revives-data-
n17179922217/.
173. Id.
174. Kosseff, supra note 170.
175. Personal Data Notification & Protection Act, H.R. 1704, 114th Cong. § 112(12) (2015).
176. Id.
454 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
The Personal Data Notification & Protection Act also sets a strict
standard of notification to the Federal Trade Commission—thirty days after the
entity discovers the breach.177
The notice requirement applies to businesses
that use personally identifiable information of more than 10,000 individuals in
a year long period.178
The Personal Data Notification & Protection Act has an
exception that does not require companies to disclose breaches if there is not a
reasonable risk that the individuals whose data was affected will be harmed.179
The Federal Trade Commission and state Attorneys General would handle the
enforcement of the provisions of this Act.180
The sticking point of the Personal Data Notification & Protection Act
may be the fact that it would supersede state laws covering the breach of
computerized data from business entities.181
A partner at Dorsey & Whitney
LLP in Minneapolis noted that the issue of state law preclusion “may be a
deal-killer either way.”182
This type of disagreement is what prevents bills like
this from getting through a substantially divided Congress.
The Personal Data Notification & Protection Act contains a range of
provisions that are needed to enact much-needed data security legislation;
however, one small provision may be enough to derail the whole thing.183
Even if not adopted in full, the Personal Data Notification & Protection Act
sets a high standard for the definition of sensitive personally identifiable
information and notification deadlines—both of which could be used to
supplement legislation that is more likely to be passed.
2. Data Security & Breach Notification Act of 2015
The Data Security and Breach Notification Act of 2015 was introduced in
the Senate on January 13, 2015.184
This bill showed fast action by the new
114th Congress.185
The Data Security & Breach Notification Act of 2015
would give the Federal Trade Commission the power to promulgate
regulations for information security.186
The Act also requires notification in at
least 30 days, unless it would not be feasible due to certain circumstances.187
The Act preempts state laws relating to data security and breach notification,
but it does not preempt state law tort, contract, trespass, or fraud claims.188
Taking into account the concerns surrounding the failed bills of the 113th
Congress, the Data Security & Breach Notification Act of 2015 could provide
177. Id. at § 101(c).
178. Id. at § 101(a).
179. Id. at § 102(b)(1)(A).
180. See generally id. § 107–08 (explaining the rules and methods of enforcement by the Federal Trade
Commission and State attorneys general).
181. Bolen, supra note 172.
182. Id.
183. Id.
184. Data Security and Breach Notification Act of 2015, S. 177, 115th Cong. (2014).
185. Id.
186. Id. at § 2(a)(1).
187. Id. at § 3(c).
188. Id. at § 7.
No. 2] HACKING THE CURRENT SYSTEM 455
some compromise to enact the comprehensive data security and breach
notification law that the United States needs.
C. Points of Agreement and Inconsistency
The proposed bills overlapped in several areas, but they directly
contradicted one another in other areas. The three areas of most concern are
(1) the legislation’s affect on state law, (2) the method of breach notification
and time requirements for notification, and (3) data security requirements for
entities possessing customer’s personal information.
1. State Preemption
Several of the bills expressly preempted state legislation in relation to
data security and breach notification, including the Data Security and Breach
Notification Act of 2014, and the Personal Data Privacy and Security Act of
2014.189
The Data Security Act of 2014 would have precluded civil action
under state law related to a violation of the Act.190
The Cybersecurity
Information Sharing Act of 2014 would have superseded state law to the extent
that state law prohibited behavior that was allowed by the Act, but it did not
supersede state law concerning law enforcement practices.191
The Personal
Data Protection and Breach Accountability Act of 2014 would have preempted
state law regarding breach notification, but it would not have preempted
entities from common law liability.192
The recently proposed Data Security and Breach Notification Act of 2015
would preempt state laws that require certain data security practices or require
notification to individuals following a breach.193
However, this Act would
protect the availability of state laws regarding trespass, contract, torts, or
fraud194
—so consumers would still be able to pursue state law claims under
these laws. This law provides the compromise of a general preemption, but
without the negative effect of preempting all state law claims.
2. Response Method and Time for Notification
Notification timing ranges from a specific period of time, like President
Obama’s Personal Data Notification and Protection Act and the Data Security
and Breach Notification Act of 2014,195
to a “without reasonable delay”
standard in the Personal Data Protection and Breach Accountability Act of
2014.196
Strict standards seem good in theory, but in a hearing on data
security, Ravi Pendse, the Chief Information Officer for Brown University,
189. S. 1976; S. 1897.
190. S. 1927.
191. S. 2588.
192. S. 1995.
193. S. 1976 at § 7.
194. Id.
195. Personal Data Notification and Protection Act of 2015, H.R. 1704, 114th Cong. (2015); S. 1976.
196. S. 1995.
456 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
expressed his concern that a strict notification deadline would be impossible
for some entities to meet.197
From a consumer standpoint, a short notification
deadline, such as the Personal Data Notification and Protection Act should be
more appealing—it would provide quicker notice when their information had
been compromised.
Breach methods and standards also vary across the proposed bills. The
Personal Data Protection and Breach Accountability Act of 2014 would have
allowed notification by letter, email, phone call, or public notice—including
media notice or electronic notice on a website—if there were more than 5,000
people affected.198
The Data Security and Breach Notification Act of 2014
would have allowed for similar methods of notification, but it allowed
substitute notification if an entity had less than 10,000 individuals’ records and
direct notification would not be feasible due to an excessive cost.199
Similar to
the Data Security and Breach Notification Act of 2014, the Data Security Act
of 2014 also allowed for substitute notification if the entity did not have the
contact information for the individual affected, or if the cost of notification was
excessive.200
The Data Security and Breach Notification Act of 2015 takes a strict
approach to notification timeline—thirty days—which is the same as President
Obama’s proposal.201
Even though this requirement is strict, it should not
prevent it from being passed, because the bill allows for notification “as
promptly as possible” if thirty days is not feasible for several reasons.202
Some
may disagree with the tough standard, but the Act allows for a safety net if the
standard cannot be met for legitimate reasons.203
3. Data Security Practices
In addition to data breach notification, several of the proposed bills also
discussed proactive measures to improve data security practices in businesses.
The Cybersecurity Information Sharing Act of 2014 hoped to improve data
security practices by facilitating data sharing between companies and the
government.204
The Personal Data Protection and Breach Accountability Act
of 2014 and the Personal Data Privacy and Security Act of 2014 would have
allowed the Federal Trade Commission to regulate data security programs, and
set broad standards for security practices, including risk assessment, design,
and vulnerability testing.205
The Data Security and Breach Notification Act of
2014 similarly called on the Federal Trade Commission to promulgate
197. Getting it Right on Data Breach and Notification Legislation in the 114th Congress Before the
Consumer Protection, Product Safety, Insurance & Data Security Subcommittee, 114th Cong. 1 (2015)
(statement of Ravi Pendse, Chief Information Officer of Brown University).
198. S. 1995.
199. S. 1976.
200. S. 1927.
201. S. 177.
202. Id. at § 3(c).
203. Id.
204. S. 2588.
205. S. 1995, S. 1897.
No. 2] HACKING THE CURRENT SYSTEM 457
regulations regarding data security practices.206
The Data Security Act of 2014
only called for “reasonable policies and procedures” to protect individuals’
private information.207
The Data Security and Breach Notification Act of 2015 also gives the
Federal Trade Commission the power to set regulations for data security
policies.208
There has been Republican concern about giving this power to the
Federal Trade Commission209
—however, it may be overly optimistic to expect
all companies to comply with a voluntary standard. Therefore, a mandatory
standard is the more appropriate measure.
The numerous differences in (1) state preemption, (2) response method
and time for notification, and (3) data security makes it difficult to devise a
uniform standard. The following section proposes a compromise and
recommends a data breach notification and security standard that Congress can
adopt in forthcoming legislation.
IV. RECOMMENDATION
Data breach legislation faced difficult odds to be enacted by the end of
the 113th Congress,210
but the Cybersecurity Enhancement Act of 2014
managed to pass.211
This bill was a step in the right direction, but it had to
sacrifice substance in order to get bipartisan support. Many issues divide
Democrats and Republicans in the area of data security and breach notification,
but it is possible to pass a more impactful law on data breach notification and
data security. Bipartisan support can be achieved by adopting rules from
several of the failed data security and breach notification bills.
The first area to tackle is the area of breach notification. States have
shown notification guidelines should be specifically outlined.212
Given the
vast differences in law across the states,213
a federal law should be enacted to
answer this question to provide uniformity across the country. It can most
likely be agreed upon that consumers and law enforcement officials need to be
notified by the business entity when a breach occurs, and it makes sense to
have a uniform standard to create predictability across jurisdictions. While the
Republicans have shown their general opposition to regulations, breach
notification is a less contentious area.214
206. S. 1976.
207. Data Security Act of 2014, S. 1927, 113th Cong. (2014).
208. Data Security and Breach Notification Act of 2015, S. 177, 114th Cong. § 2(a)(1) (2015).
209. Alexis, supra note 60.
210. ERIC NAING, HOME DEPOT BREACH UNLIKELY TO PROMPT LEGISLATION (Sept. 10, 2014), 2014
WL 4436982.
211. Cybersecurity Enhancement Act of 2014, S. 1353, 113th Cong. (2014).
212. Security Breach Notification Laws, NAT’L CONFERENCE OF STATE LEGISLATURES (June 11, 2015),
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-
laws.aspx.
213. Michael Keller, Holiday Shopping? How Much Do Data Breach Notification Laws Protect?, AL
JAZEERA (Dec. 1, 2014), http://america.aljazeera.com/multimedia/2014/12/to-catch-a-
breachhowmuchdodatabreachnotificationlawsprotect.html.
214. Alexei Alexis, Data Security Outlook Remains Uncertain Despite Flurry of Bills, BLOOMBERG
BNA (Apr. 22, 2014), http://www.bna.com/data-security-outlook-n17179889758.
458 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
The Data Security & Breach Notification Act of 2015’s notification
requirement provides a balance of a quick timeline, but it also provides
exceptions if following the deadline is not feasible.215
This balance makes it
the ideal standard to adopt. However, no matter what bill eventually passes, a
clear standard for breach notification should be included in the legislation.
While this is important, breach notification is only a part of what is needed to
address the cybersecurity issues the country faces. Breach notification only
matters when the breach has already occurred, and it does little to address the
underlying problems that lead to massive breaches.
Another issue that has presented a problem is the potential preemption of
state laws.216
Some believe that a uniform law would be most successful only
if it preempted all state laws, while others believe that states should be able to
continue to enforce their stricter standards.217
The first step to compromise on
this issue is to develop a strong breach notification standard like that in the
Personal Data Notification and Protection Act218
—that way the federal
standard would be closer to the strict state standards. The Data Security &
Breach Notification Act of 2015 preempts state laws to provide uniformity, but
its protection of certain state law claims—such as contracts and torts—is a
good compromise. The issue of state law preemption does not have to derail
this legislation.
The more contentious issues of information sharing and regulatory
procedures for data security are much more likely to hold up the legislation.219
Even so, data security legislation can provide a compromise by allowing
companies to develop their own data security procedures and declaring broad
security standards that are regulated by the Federal Trade Commission or
another government agency. This would require the FTC to have some control
over regulating security practices, but it would need to set certain boundaries to
please all parties.
One of the most valuable ways to combat future breaches is to have the
government communicate with businesses and businesses communicate with
other businesses. The Cybersecurity Information Sharing Act of 2014 would
have facilitated that sharing,220
but privacy advocates are rightfully concerned
about the safety of sharing so much personal information.221
Setting strict
standards to deal with the use of the information could alleviate this concern.
Since there is concern with potential inappropriate data use,222
adding in
additional measures of oversight to regulate the information sharing between
companies could potentially be enough to satisfy privacy advocates in order to
get this law passed.
215. S. 177, 114th Cong. § 3(c).
216. REPUBLICAN COMM. STAFF, SUBCOMM. HEARING ON “GETTING IT RIGHT ON DATA BREACH AND
NOTIFICATION LEGISLATION” 4 (2015).
217. Id. at 1–2.
218. Personal Data Notification and Protection Act of 2015, H.R. 1704, 114th Cong. § 101(a) (2015).
219. Id.
220. Cybersecurity Information Sharing Act of 2014, S. 2588, 113th Cong. § 3, 5 (2014).
221. M.G., Supra note 113.
222. Id.
No. 2] HACKING THE CURRENT SYSTEM 459
The last barrier is the area of data security regulation. Since there
continues to be regular massive data breaches, companies need to improve
their methods of handling sensitive, personal information, but the question
remains whether federal agencies should dictate those standards or whether
they should be developed within each company. Appropriately monitoring
data security does not need to come from heavily regulating data security
practices. An agreeable solution can also come from increasing transparency
and increasing private rights of action against willful disregard for common
data security measures. The first step is to have a standard, whether industry-
led or outlined in a bill that shows data security practices that are accepted as
sufficient. Following President Obama’s Executive Order 13636, the National
Institute of Standards and Technology led the development of a cybersecurity
framework that can serve as this standard.223
Next, there must be transparency regarding the data security practices that
each business practices. Consumers should know exactly what data security
practices each company uses to protect their personal information, and they
should know how these procedures stack up to the national or industry norm.
However, transparency must have a limit—if there is too much disclosed,
hackers may gain enough to bypass the security measures. This should be
balanced to provide as much information to the consumers as possible without
sacrificing security.
Further, in the case of a breach, there needs to be a clear private right of
action. For example, a negligence cause of action could be brought if an
individual’s data is stolen from a company. The company has a duty to protect
a customer’s data when it is given to them. When the company does not take
sufficient measures to protect the data, it has breached its duty to the consumer.
A breach can result in many different kinds of harm, from fraudulent charges
on a credit card to mental pain caused by knowing a hacker has your personal
information. If this cause of action became the norm following a breach,
Congress could avoid additional regulations that Republicans have shown
distaste for. This could create a climate where there is every incentive for
companies to handle personal information as securely as possible, even without
clear regulation.
The United States needs to get ahead of these breaches and develop a plan
for the future. The Cybersecurity Enhancement Act of 2014 provided methods
to facilitate cybersecurity education to make the public more prepared for
attacks in the future.224
This section was not common in the discussed bills,
but it should be included in any cybersecurity legislation. Hackers seem to be
getting smarter and better at what they do, so the education sections of the
Cybersecurity Enhancement Act of 2014 were necessary in order for this
country to become more proactive and less reactive about data breaches.
223. Framework for Improving Critical Infrastructure Cybersecurity, NAT’L INST. OF STANDARDS AND
TECH. (Feb. 12, 2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-
final.pdf.
224. S. 1353, 113th Cong. § 401 (2014).
460 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2015
V. CONCLUSION
The frequency and scope of recent data breaches should concern
everyone, especially Congress. Protecting people’s data is a paramount
concern, and it needs to be addressed by passing federal laws. This needs to
happen soon, because there is a need for laws to protect consumers. The
Cybersecurity Enhancement Act of 2014 was a step in the right direction, but
there is not a uniform standard for breach notification, nor is there a
comprehensive data security law.
Despite the lack of bipartisan support for the recent data breach bills,
there are parts of each bill that can be used to cause meaningful change. If any
future bills have a hope of being passed, people’s concerns for data privacy
must be addressed in the legislation. The legislation must place a clear limit on
the use of the personal data by the government and should only minimally
regulate individual company’s internal security policies. Legislation must also
carefully address the conflicts with state law. Some states have strict data
protection standards, and it does not make sense to lower the standard in those
states by completely preempting their existing laws.
By taking into account the privacy and regulatory concerns of bill
opponents, legislation can be drafted by Congress that will be supported by
both Democrats and Republicans. In order to be most beneficial, the legislation
must also take both large and small business concerns into account. While the
recent breaches call for fast action, Congress must act carefully to protect the
privacy of people and businesses in its legislation.