Is a Federal Data Breach Law in the Cards this Year?
There’s been some activity of late around efforts to pass a federal data breach law. Since 2005, the United States Congress has been trying to pass legislation to set a federal standard for what should occur when a business is hacked and sensitive personal information is stolen. Meanwhile, 47 states have passed their own laws to govern what companies need to do in the wake of a data breach. (See blog post: Five Questions Answered about Virginia’s Data Breach Law.) A patchwork of state laws can cause compliance headaches for businesses with operations and customers in more than one state. After more than 10 years of debate, the introduction of 40-plus bills, and a growing cybersecurity threat, can Congress agree on a federal solution?
Last week, the financial services industry renewed its push for passage of the Data Security Act, which was favorably reported in December by the House Committee on Financial Services. At the same time, a group of retailers made visits to Capitol Hill to discuss issues important to their industry, and they are opposed to the Data Security Act. Retailers prefer another measure, the Data Security and Breach Notification Act. That bill has the support of the House Committee on Energy and Commerce, which approved the legislation in April last year. As these stakeholders bump heads, can legislators find common ground? Some lawmakers have been meeting and trying to forge a path forward to enact a bill. The goal was to find compromise by spring, and now we are quickly turning the corner into summer. You might wonder why it’s so hard.
While setting a uniform standard is a primary goal of the effort to pass a national law, preempting state laws that are more stringent causes heartburn for some who are loathe to dilute consumer protections. Other issues of contention include whether notification is triggered only when there is risk of harm (e.g., identity theft), who is responsible for notification if a third party holds the data and is breached, enforcement authority, and the imposition of civil penalties.
The financial services sector, which is already required to follow federal rules for data security under the Gramm-Leach-Bliley Act, thinks others in the chain of commerce should be held to the same standard. The retailers and other business groups are on board with a federal standard, but not the prescriptive approach the financial service industry supports. They feel the standards written for banks may be too complex for smaller companies and not appropriate to apply across all industries.
After enactment of the Cyber Information Sharing Act in December (see blog post: Better Cybersecurity: Working Together and Sharing Information), many hoped that the next legislative accomplishment for cybersecurity would be a federal data breach law. With two powerful committees taking different positions, a shrinking legislative calendar (the House has 34 legislative days left in 2016), and an election approaching, its hard to be optimistic that a compromise can be reached, passed by both the House and Senate and signed into law this year. It may be that a new Congress will be back to square one in 2017.