Congress Struggles on Breach Disclosure Law
Congress held a hearing on data breach disclosure rules today, where speakers and lawmakers alike struggled with questions over a national breach disclosure law, who should bear liability for breaches, and what information customers are entitled to know, and when.
The hearing, held by the Subcommittee on Financial Institutions and Consumer Credit, reached no particular conclusion. We did, however, see the broad contours of political division over the issue — Republicans leaning toward a national standard, where companies get to decide when disclosure happens; Democrats in favor of allowing states to keep their breach disclosure laws, and giving consumers more rights to control data about them.
Even then, it would be wrong to paint this discussion as just another example of Republicans favoring big business over consumers, Democrats doing the opposite. Lawmakers from both parties were frustrated with our current patchwork system of breach disclosure, and unclear liability for a breach, and the behavior of some companies where executives didn’t disclose a breach for months.
In the immediate term — “Oh lord, is Congress going to pass new data disclosure laws and dump even more responsibility on my business?” — corporate compliance and privacy professionals don’t have much to worry about. Lawmakers did talk about reviving legislation from two years ago, dubbed the Data Security Act, which proposed a national standard for breach notification and duties of care when an organization holds consumer data. But the wheels of legislation turn slowly, and Congress has plenty of more pressing issues and political bickering to do. Whatever might happen, you will see coming a long ways off.
On the other land, leaving compliance officers where they are doesn’t mean compliance officers are in a good spot. You still have that patchwork of state disclosure laws (52 of them, including U.S. territories), the EU General Data Protection Regulation coming in three months, and a host of other business and reputation risks driving your board to the point of panic.
So what insights can we glean from today’s hearing, that you can use to anticipate data privacy compliance challenges? A few stand out…
The questions of breach notification and ‘who owns the data’ are intertwined. Since the GDPR is coming soon, complete with its 72-hour window for businesses to disclose a data breach, lawmakers pondered whether they should do something similar here. Is 72 hours enough time? If not, what is? Or should federal law not set any specific time period at all, while companies focus on disclosing breaches accurately rather than quickly?
What’s really behind all that is the fundamental question of who owns personally identifiable information: the person described by the data, or the organization that collects the data. If you believe that people own their PII, then you probably lean towards immediate notification: people have a right to know when their property has been damaged.
On the other hand, if you believe companies own the PII people provide to them, you probably lean toward accurate notification: the company does have some duties to the PII subject, but not so many that disclosure is overly burdensome or meaningless. (Rep. Keith Rothfus, R-Penn., called it notification so often we are “notifying wolf.”)
The problem is that the GDPR clearly favors consumers owning their PII, while U.S. law favors companies. U.S. politicians will have a hard time squaring that circle, especially since Republicans are in power. Yes, they generally favor business, but data breaches are a very invasive consumer issue where public sentiment might tilt the GOP’s usual thinking.
So for global corporations already sweating GDPR compliance, that obligation might actually clarify your predicament: if you’re complying with something as burdensome as the GDPR, you’re probably well-positioned for breach disclosure here under the messier U.S. regime, too.
Our unclear system of liability for breaches in the United States drives the problem. Strong data privacy is a mess in this country because nobody wants to be held responsible when a breach happens. Strong data privacy legislation is so elusive because Congress doesn’t want to assign responsibility to someone anyway.
It’s easy to say that “the negligent party” should bear the cost, and several witnesses today said precisely that. The political problem, however, is that in general, smaller businesses are more likely to drop the ball on data security — and imposing costs or regulation on them is a political hot potato nobody, especially Republicans, wants to touch.
Kim Sponem, chief executive of the Summit Credit Union in Wisconsin, gave the example of a small restaurant chain (just the sort of business that might work with a credit union or community bank). That business will struggle with software patch management and breach notification, so local consumers might suffer multiple breaches in a short period of time.
Do we hold the restaurant liable? Because consumers can suffer lots of long-term harm from a breach, and that could put the restaurant out of business. Do we impose regulation that’s just as tough on the small business as the large, since the potential harm to consumers is equal? Because that runs contrary to a core Republican tenet that the regulatory burden should be less for small business.
There’s no easy answer to this on the legislative front. Hence we’re stuck in this loosey-goosey data security world, where we focus on litigation after the breach rather than regulation to prevent the breach. Which is dumb, but hey, it’s Washington.
We’re not addressing the true problem. The true problem, of course, is that too many breaches are happening in the first place. Any breach disclosure regime in the world won’t won’t help businesses much if data security itself is little more than a screen door for hackers to pry open.
Yes, everyone said that businesses should be responsible stewards of data. But that implies a set of expectations for good cybersecurity hygiene. How would those expectations actually be enforced? Nobody answered.
We could leave that question to litigation, as we do now. Or we could — gasp! — audit data security controls. That’s a heretical idea I mentioned in a post last year about the Equifax breach. Again, we had another congressional hearing, where lawmakers bemoaned a large company’s lax data security, which then screwed things up for millions of consumers who never knew they were exposed to Equifax in the first place.
I have no illusions that Congress ever will impose audits of data security, akin to audits of financial statements. On the other hand, after listening to lawmakers today, I don’t know what they will do about breach disclosure and data security. (The Republicans’ press release made nary a peep about possible legislation.) I don’t think the lawmakers have much clue either.