Several data security bills are afoot in the House. They identify obligations triggered by a cyber-breach of entities who collect and maintain personal information of individuals. A congressional bill, H.R. 1770, defines personally identifiable information (PID) and requires notification of consumers whenever there is an important breach of PID that is stored by a collecting entity.
The bill also preempts miscellaneous state laws that treat the topic differently and it obligates the collecting entity to have suitable cybersecurity defenses in place. This provides uniformity – highly useful to multi-state businesses, but it would eliminate higher levels of consumer protections that are inherent in some state laws.
H.R. 1770 passed from the Energy and Commerce Committee in 29-for and 20-against voting. It was introduced by Representatives Marsha Blackburn (R) and Peter Welch (D), although Representative Welch did not vote for its passage. Other House bills have somewhat hyper-sensitive consumer notification triggers. These had been introduced by Representatives Barton, Rep. Rush (D) and Rep. Schakowsky (D).
The bills differ in the degree of confidence a collecting entity must have that a breach was serious before being obligated to notify consumers of the breach. This is a balancing act. Attacks of no widespread consequence should not be treated the same as serious attacks that may cause consumers harm. Certainly none of these bills want the collecting entity to hide any security inadequacy.
In the other chamber, Senator Nelson (FL-R) introduced S. 177, the Data Security and Breach Notification Act of 2015, and Senators Carper (D-DE) and Blunt (R-MO) introduced the Data Security Act of 2015. These bills are similar to those in the House and require notification of consumers if there has been a dangerous breach.
As in the House bills, the focus is on the behavior of the collecting entity, both before and after any breach. Ignored is the behavior of the criminals perpetrating the breach and damaging the consumer.
The bills offer mildly useful security requirements for businesses, but overall they are disappointing in scope. They tell the private sector that it should beef up cybersecurity, but they do not specify how attack-proof they should be. They also do not guide the FTC on how that security requirement should be adjusted over time or by circumstances. Presumably those essential components will have to be discovered the messy, expensive way – through litigation.
The FTC is tagged for monitoring whether the collecting entities are meeting the law’s requirements, but they do not obligate and equip any law enforcement agency to aggressively hunt down and prosecute those who attack consumer PID. That is the main shortfall of these important legislative efforts.
We thank elected representative who are active on this topic, and we encourage them to take on a more prominent leadership that is needed to hunt down the perpetrators who conduct cyber-attacks against our government, business, and consumer information systems.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research