Data Breaches: A Growing Problem, but Will Congress Act?
Data breaches are a growing and ongoing concern. As of the modern economy relies more heavily on web-based services, hackers throughout the world are finding innovative ways to exploit this new technology for their own gain. The big question is: will Congress act to address the problem?
Recent data breaches have drawn the ire of members of Congress, including the Equifax hack and Facebook’s privacy issue with Cambridge Analytica, largely because of perceived wrongdoing or an inadequate response on the part of the breached company. Data breaches are tricky because, on the one hand, the breached company is the victim of a criminal act which should be investigated and prosecuted. But, on the other hand, to the extent that a company is breached because it was negligent or even reckless in failing to patch a known security flaw, some kind of legal consequence seems appropriate. Crafting a legislative response to address data breaches is an intricate matter that begins with an important question: as a matter of federalism, are data breaches a state or federal concern?
A vast majority of states have laws on the books requiring a breached company to take some kind of action after a security breach. These laws define “personal information” and require that notice of the breach is given to either breached consumers or a state government entity such as the Attorney. States wielding their police power to regulate the response to data breach incidents makes sense because data breach litigation is usually focused upon a theory involving negligence, privacy invasion, or breach of a fiduciary duty (Solove & Citron, at 8). Each of these causes of action are firmly rooted in state law. Yet, the patchwork approach to data breach legislation leaves many companies scrambling to comply with very different laws in the various jurisdictions where individuals with breached data reside.
Yet, many data breaches end up litigated in federal court. The most common reason for this is the Class Action Fairness Act (28 U.S.C. §§ 1332(d), 1453(b); “CAFA”), which provides a federal forum to claims where the parties maintain minimum diversity (at least one plaintiff located in a state different from at least one defendant) and an amount in controversy of at least $5 million. Because many data breaches impact a disparate plaintiff class residing throughout the country, and because the sought-after remedy is much larger than $5 million, these cases are frequently removed to federal court.
Other data breaches are litigated in federal court from the start, with causes of action arising under federal statutes. Claims are often brought under Fair Credit Reporting Act (15 U.S.C. § 1681 et seq., “FCRA”), which requires companies that send information to credit reporting agencies to take “reasonable procedures” to protect the confidentiality of sensitive personal information. The federal government also regulates data security in several industries, including the healthcare industry through the Health Insurance Portability and Accountability Act (Pub. L. 104–191, “HIPPA”) and the financial services industry through the Gramm-Leach-Bliley Act (Pub. L. 106–102, “GLBA”). Lastly, the Federal Trade Commission (“FTC”) regulates some data security matters pursuant to the agency’s authority to prosecute unfair competition.
These statutes make clear that the federal government has some role to play in the data security sphere, and with good reason – data security can quickly become a matter of national security. First, many data breaches are thought to involve state-sponsored actors, implicating international law and sovereignty concerns. Next, data breaches can give rise to other federal crimes, including identity fraud (Internet Research Agency Indictment; Counts 3-8 at ¶¶ 96-98). When that identity fraud was apparently perpetrated with an intent to interfere in America’s free and democratic elections, the concern is only exacerbated.
So, what can Congress do to address this issue? While the problem is very complex and requires an equally complex response, Congress often prefers to address problems in a piecemeal fashion. There have been two bills put forth, one from Senators Nelson, Blumenthal, and Baldwin, and another from Senators Warren and Warner. It is important to note that the two bills cover different topics under the greater umbrella of data privacy – they are not mutually exclusive and they are not merely two different solutions to a single problem.
Senator Nelson’s bill, called the Data Security and Breach Notification Act, would require the FTC to establish minimum “policies and procedures regarding information security practices for the treatment and protection of personal information.” § 2(a)(1). This bill includes provisions that exempt financial institutions in compliance with GLBA, but it covers a large number of different organizations and industries. It also creates a series of new penalty provisions authorizing fines up to $5 million for infractions. Notably, § 7(a) dictates that this bill would preempt state information security laws. This provision is sure to be unpopular with certain states, especially those (like Massachusetts) that have been proactive in regulating data at the state level (see the testimony of Sara Cable, Assistant Mass. AG, to the U.S. House of Representatives’ Financial Services Committee, Part II.C, page 4).
Senator Warren’s bill has a narrower scope, addressing only “credit reporting agencies” with annual revenue “not less than $7 [million]”. § 2(4). After the Equifax breach announced in the Fall of 2017, the credit reporting agencies themselves became the focus of new scrutiny. Given the immense volume of sensitive information that these agencies possess, and their critical role in our financial system, it makes sense that these entities should satisfy more exacting standards. Senator Warren’s bill would establish an “Office of Cybersecurity” within the FTC, and that office would be charged with promulgating regulations and investigating non-compliance with those regulations. §§ 3(b)(B), (D). The bill also contains a fairly restrictive notification requirement – mandating that covered credit reporting agencies alert customers within 10 days after a breach. § 4(a). Such notification requirements present interesting policy question. On the one hand, the sooner customers know of a breach, the sooner they can take action to prevent identity theft and fraudulent use of their finances. On the other hand, in countries like Australia that have recently implemented mandatory notification laws, companies have expressed concern that such a notification would amount to an “admission of guilt” that may come back to haunt the company in subsequent litigation.
Though there are many issues underlying data privacy and security, one thing is clear – something must be done. Because these bills address different areas of cybersecurity, they should both pass. Even if that were to happen, much more needs to be done. States undoubtedly have an important role to play, but it is much faster and more efficient for federal legislation to address an issue like this that impacts citizens nationwide. But, what precisely needs to be done, however, is a much more complex question. The 115th Congress has been derided for its lack of action on many important issues, including an immigration fix for DACA recipients and addressing firearms in the aftermath of the Parkland shooting. So, will anything actually happen? Only time will tell.
David Bier plans to graduate from Boston University School of Law in May 2019.