President Obama’s recent State of the Union address dedicated a notable portion of time on cybersecurity-related issues. “Tonight, I urge Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information”, he told the assembled houses of Congress, forcefully adding that it “should be a bipartisan effort.”
If we don’t act, we’ll leave our nation and our economy vulnerable,” the President said. “If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
This was hardly the first time the American public heard someone in its leadership call for measures to bolster the nation’s cybersecurity. Republicans and Democrats alike – even Obama’s predecessor, George W. Bush – have continued to express their dismay about the nation’s cyber readiness. However, in the wake of major breaches affecting some of the nation’s largest retailers, it may be time to put aside partisan politics and work toward one specific goal: a uniform data breach notification law.
Home Depot, Target, Sony, JP Morgan…they are just a few of the high-profile victims of security breaches, that provided the catalyst which could transform data security inertia into action. But we have been here before, and previous attempts to standardize the 47 different data breach statutes across the US have failed for one reason or another. That’s right: there are 46 different state laws, and one from the District of Columbia. It’s a business nightmare, and a lawyer’s dream, but in the end it’s the consumer that oftentimes loses out.
“Notification” Gets a New Life
Although the Republican-controlled 114th Congress may not see eye-to-eye with the current president on most issues, cybersecurity and data breach notification are not such a “partisan”. It’s because many of the issues are technical and involve national security. In the case of breach notification, failure to act after so many headline-grabbing breaches could be a stain on the record of both sides.
As the new Congress convened, and a week before the State of the Union address, the Obama administration sent a Jan. 13 letter to House Speaker John Boehner (R-Ohio) requesting that Congress move forward with three priority items not enacted from the administration’s 2011 cybersecurity legislative proposals. One of these included “protecting individuals by requiring businesses to notify consumers if personal information is compromised.” Given the recent outbreak of rather large data breaches, it’s the one aspect of the Obama admiration’s proposals that Congress has moved quickly to consider.
The administration is seeking a federal law that will supersede the patchwork of state regulations – one in which breaches must be reported to affected individuals within 30 days, with some exceptions. Sen. Bill Nelson (D-Fla.), just a day later, told The Hill he would soon introduce a data breach notification bill “that closely resembles” the one requested by Obama, including the 30-day notification provision. On Jan. 27, the House of Representatives’ Commerce, Manufacturing, and Trade Subcommittee began its hearings on “What are the Elements of Sound Data Breach Legislation?”
Beyond the 30-day notification provision, the White House version would require that all breaches be reported to the government, and would empower the Federal Trade Commission (FTC) to set and enforce federal data notification and security standards. It appears the momentum is there, and all that’s left is to hold hearings, iron out some differences, pose nicely for a bill signing, and join hands in a bi-partisan kumbaya. But we’ve been here before, so someone tell Lucy we are not ready to kick that football just yet.
Time to replace the patchwork quilt?
So why should Congress even act on this area of breach notification? “Congress can and should provide immediate clarity and relief”, opined Mary Bono, a former 7-term congresswoman from California. In an op-ed appearing in The Hill, she noted that 47 different laws lead to ambiguity around breach reporting, “creating uncertainty where clarity is needed most. Congress can lead and make it possible for businesses to focus on fixing the breach and safeguarding sensitive information”, she added, “rather than navigating different administrative demands.”
Businesses could benefit from federal clarity, and thus uniformity around the issue. Over the years, I’ve spoken to countless business leaders, many from the IT/security/compliance side of the board, who have pleaded for a definitive federal law in the US – and calls for a new regulation are not something you often hear from people in the business community. There are others still in Congress and on the consumer advocacy end of the spectrum who believe any federal law must not create weaker standards than those already provided on the state level in many locations.
Elizabeth Hyman, executive VP of Tech America – the lobbying arm of the US tech industry’s trade group CompTIA – told the House committee that one federal breach notification standard should be the top cybersecurity priority for Congress in 2015, during its recent hearings on the subject. Others like Jennifer Glasgow, chief privacy officer for data broker Acxiom, warned of ‘notification fatigue’ as an adverse byproduct of a loosely defined breach regulation. “Industry in general is very sensitive to the over-notification problem”, she told the House during her testimony.
Elements of success
And what about the prospects for a federal law this go-around – one that effectively reaches its stated goals? In this area, there are few whose experience and objectivity can be valued above Howard Schmidt, advisor to the last two presidents, including most recently White House Cyber Security Coordinator from 2009-12. He’s witnessed both cybersecurity victories and failures on the legislative front, and few can better predict how this latest notification proposal may unfold.
Schmidt tells DatacenterDynamics that he holds “cautious optimism” about whether Congress will successfully pass a federal data breach notification standard. There are two perspectives on the issue, as he lays it out – one being the end-user or ‘consumer’, and the other the businesses that hold their data.
When it comes to the consumer, “I would be just plain confused”, Schmidt admits, making light of the 47 different statutory regimes. Some have excellent consumer protections, he observes, while others do not. From a business perspective, it’s extremely difficult to build a privacy and protection model when you have to navigate such a complex regulatory scheme. It would seem that the interests of business and the consumer are in lockstep, but as Schmidt warns “there are other forces at play” that complicate the issue.
These forces, he explains, come from ideological differences – both within the members of Congress and those who would seek to lobby them on this issue. “There are those that will say this impinges on the states’ rights to make laws”, Schmidt noted. Then there are those who will express concerns about whether a federal notification law will undermine and weaken state laws, such as that in California, which go to great lengths to protect customer data.
Whipping up enough votes to pass a data breach notification law is far from certain, Schmidt advises, and there are many roadblocks to overcome. He hopes, however, that stakeholders will put aside their partisan approaches and have a frank conversation on what can be done to help both the consumer and businesses – and in the end provide relief for both on an area of consumer protection that lacks a singular voice.
A successful legislative attempt, as he sees it, will include consumer protections that do not undermine what already exists at a state level, contain plain and clear language, while “being easy for businesses to implement.”
If this is the case, and a federal notification law is enacted, then it will have a positive impact on businesses and consumers, while reducing incidents of identity theft. It will cause consumers to pause and consider who they do business with based of the volume of notifications they receive, while businesses will need to re-evaluate their security strategies to avoid sending out so many notices. In short, Schmidt explains, “companies will have to re-think their security and privacy policies in such a way that it will have an overall positive impact on their business.”