WH Cybersecurity Proposal: Good Start on Data Breach Notification
Written by David Sohn, Harley Geiger
The White House recently released its long-awaited cybersecurity legislative proposal, finally adding its voice to the ongoing debate over government cybersecurity authorities. This is the fourth of a four-part analysis from CDT of various elements of the Administration’s far-reaching package. Part I, Part II, Part III
Part IV: Data Breach Notification: A Good Start
This blog post analyzes the data breach notification provisions in the recently released White House cybersecurity legislative proposal, a package of new executive powers and amendments to existing authorities aimed at changing the direction of the ongoing debate over executive cybersecurity authorities.
The White House proposal would require business entities that hold “sensitive personally identifiable information” (SPII) about more than 10,000 people to notify such persons when the business entity suffers a cybersecurity breach that results in disclosure of SPII, unless the breach involves no reasonable risk of harm to the individual. The Administration bill wisely includes a provision authorizing the Federal Trade Commission to adjust the categories of SPII, and it would permit enforcement by state attorneys general.
Because most states have already adopted data breach notification laws, breach notification is already effectively the law of the land.
The White House proposal would pre-empt those laws, which warrants special scrutiny to protect against eliminating current protections. Indeed, we find one crucial way – regarding health data – in which the White House proposal would preempt more protective state laws, as we explain below.
Data breach notification serves cybersecurity purposes by encouraging large business entities that hold personally identifiable information to better protect that information. It also helps defend against the theft of identity, a problem that can undermine cybersecurity in some contexts.
Data breach notification, however, is primarily a consumer privacy matter that CDT believes should be part of comprehensive baseline consumer privacy legislation. What is needed is legislation to protect consumer privacy in the on-line and off-line world that incorporates the full range of Fair Information Practice Principles. The effort to adopt data breach notification should not undermine the imperative of broad based consumer privacy legislation.
That said, we believe that if Congress does enact federal data breach notification legislation, the White House proposal is a good starting point, although it should be improved as outlined below.
Definition of Sensitive Personally Identifiable Information
The definition in the Administration’s proposal of “sensitive personally identifiable information” – information the loss of which is subject to the breach notice requirement – is similar in scope to definitions in many of the state laws and in most breach notice bills that have been proposed to date in Congress.
However, some of the drafting is not as clear as it should be. Moreover, the definition of SPII omits mention of health data. The proposal would define sensitive information as “any information or compilation of information, in electronic or digital form that includes—
- (1) an individual’s first and last name or first initial and last name in combination with any two of the following data elements:
- (A) Home address or telephone number;
- (B) Mother’s maiden name;
- (C) Month, day, and year of birth;”
First of all, this provision is ambiguous. Does the clause beginning “in combination with any two of the following” modify “first and last name or first initial and last name” or does it modify only “first initial and last name?” We assume it modifies “first and last name or first initial and last name” – otherwise the statute would be way overbroad. But, if that interpretation is correct, health data identified by first and last name and address would not be defined as sensitive.
Surely health data identified by full name (with or without address) should be sensitive. And, regardless of how you read the “in combination with” clause, health data identified by first initial, last name and address would not be defined as sensitive, when it surely should be as well. (Indeed, health data combined with first initial and last name, or with another identifier, should be considered sensitive.)
Because this federal law would preempt state law, the lack of mention of health data would result in a reduction of current protections. Some state breach notice laws – such as California’s – cover any medical information that is combined with the individual’s first name or first initial and last name. That is clearly good policy, and the federal law should not fall short. (Federal health privacy regulations already require breach notice for health data in some circumstances, but only for health data held by entities covered under HIPAA and by some providers of Personal Health Record (PHR) services, so the federal rule does not reach as far as the state laws that would be preempted.) The White House proposal should be modified to include health information tied to an identifier. The White House proposal could also be modified to include an exception, such as is found in California law, specifying that notification is not required for instances of good faith unauthorized access or acquisition of the data by employees or agents of the data holder, provided the data was not further used or disclosed in an unauthorized manner.
The White House proposal would empower the Federal Trade Commission (FTC) to modify the definition of sensitive information in rulemaking. This provision will help keep the statute up to date as technology evolves and new categories of sensitive data are put at risk and new identifiers are developed.
The White House proposal would override any provision of state law relating to notification by a business entity “of a security breach of computerized data” but it only requires notice of a subset of such breaches: breaches of data containing specifically defined sensitive personally identifiable information. As a result, for example, notice of breaches involving personally identifiable health data appears to be outside the scope of the proposed notice requirement, but would be inside the scope of the preemption section. While we appreciate the benefits of a national standard, preemption of state data breach laws should be limited to the data covered by the federal law, permitting states to develop their own laws to address breach of information categories not covered under the proposal.
Businesses must notify consumers of a data breach unless the business determines that there is “no reasonable risk of harm or fraud to consumers.” Under this formulation, notice is the default and must be given unless there is an affirmative finding of no risk. Notification would be required when the extent or nature of the risk is simply unknown. Some disclosures of personally identifiable information, such as health information, are harmful per se and the legislation should reflect that fact. “Harm” should be construed broadly to include reputational harm or embarrassment.
So long as harm is construed broadly, this appears to be an effective trigger, which will avoid notification regarding truly inconsequential data breaches. We would caution against requiring notification only where harm has occurred or is likely to occur, or only where there was a determination of a significant risk of harm. If a business determines that there is no reasonable risk of harm and that it is not obligated to notify consumers of a breach, the proposal would require the business to submit its risk assessment to the FTC — a critical safeguard for which CDT has advocated.
Delays for Law Enforcement
Under the White House proposal, federal law enforcement agencies can require businesses to delay notification of a breach if the agencies determine that notification would impede a criminal investigation or national security activity. While such a provision is appropriate, it should limit the duration of the periods of delay (e.g., 30 days) and require authorization by a senior law enforcement official.
CDT is encouraged that the White House has taken initiative in confronting the growing problem of data breaches. Overall, its proposal for breach notification is a good starting point towards a federal data breach notification standard, but CDT urges Congress to improve it in the coming weeks as the Administration proposal is measured against pending Congressional initiatives. However, movement on data breach legislation is not a panacea: consumer privacy requires a more comprehensive approach in the form of baseline consumer privacy legislation addressing the full set of Fair Information Practices.