Last Thursday, CDT and law firm Jones Day brought together key industry, government and non-profit leaders at a reception on the hot issue of data breach policies and legislation. At the event, we announced the launch of our new multi-stakeholder effort dedicated to identifying innovative solutions to major data breach questions, the Common Ground Data Breach Forum.
The first meeting of the Data Breach Forum will be March 19, 2015, and it will bring together leaders from CDT’s Internet Privacy Working Group and the Digital Privacy & Security Working Group. If you’re interested in joining, contact me at [email protected] We’re grateful to Jones Day for helping us launch this forum and starting the important dialogue around data breach.
We’ll be developing a number of resources and briefs around data breach policy, but here’s a quick overview of where CDT is right now:
Data breach has become a daily occurrence, so much so that a September 2014 Ponemon study warned companies of “data breach fatigue,” a term used to describe the apathy felt by many consumers who feel helpless in the face of continuous breaches of their personal information. The study also found that 60% of U.S. companies have experienced more than one breach in the past two years, and that data breaches increased in frequency over the past year. This report, in addition to news of hacks into major retail chains’, entertainment studios’, health insurance providers’ and banks’ databases, underscores the need for a comprehensive, collaborative response to data breach.
Nearly every state has a data breach law that incorporates notification and security provisions. Last Congress saw the introduction of multiple bills that would create a federal standard for data security and breach notification:
- The Data Security and Breach Notification Act (Rockefeller, D-WV)
- The Personal Data Protection and Breach Accountability Act (Blumenthal, D-CT
- The Data Security and Breach Notification Act (Toomey, R-PA)
- The Personal Data Privacy and Security Act (Leahy, D-VT) and accompanying House Bill H.R. 3990 (Shea-Porter, D-NH)
- The Data Security Act (Carper, D-DE, and Blunt, R-MO), and
- The Data Accountability and Trust “DATA” Act (Rush, D-IL).
Additionally, President Obama revealed a data breach legislative proposal, The Personal Data Notification & Protection Act, in January 2015. In February, CDT submitted a joint letter with various consumer advocacy organizations to the White House and Congress in response to the President’s data breach proposal.
Although baseline consumer privacy legislation is the most appropriate means of addressing data breach, CDT would support creating federal data breach legislation if it were as strong as existing state law and provided consumers with new value-add. CDT’s data breach legislative primer outlines this position in further detail. Additionally, we believe that addressing data breach should not stop at the legislative level.
Risk assessment and liability. What constitutes a data breach?Should companies have to identify specific “harm(s)” resulting from a breach before it is required to notify consumers or regulating agencies about the breach? If so, what should those harms be? If not, what is an appropriate alternative standard? Should companies be required to report a data breach to a regulatory authority regardless of whether it has determined that the breach puts consumers at risk?
Standardization of notification. What is the appropriate consumer notification standard when a breach has occurred? Should there be a fixed deadline for notification or is “as expeditiously as possible” or “within a reasonable time period” sufficient to protect consumers?
Enforcement and Remedies. How and by whom should data breach legislation be enforced? Should the FTC and FCC have joint enforcement powers? Should state attorneys general have the ability to bring suit under a federal act?
Redress. What should a uniform approach to data breach response look like? Can company policies be put in place to help ensure consumers have a means of redress if the law does not adequately protect their interests?
Remediation. What measures can be taken to prevent attendant damages? How should immunity issues related to government sharing of data be handled?
Pre-emption. Should federal law preempt existing state data breach laws? If so, to what extent? If not, how can companies implement internal procedures that comply with the varied state approaches to data breach? How can companies reconcile a new federal data breach law with other existing laws?
For more information on data breach legislation, please see CDT’s legislative primer.