U.S. Data Breach Notification Law Unlikely in 2014With Time Running Out, Other Legislation Takes Priority
Despite President Obama's urgent call to lawmakers to enact a national data breach notification law, such legislation will not likely be voted upon before the current Congress recesses.
Obama, in signing an executive order to promote speedy adoption of chip-and-PIN credit cards at ceremony held Oct. 17 at the Consumer Financial Protection Bureau, called on Congress "to act with urgency on data breach legislation" because of a slew of recent high-profile data breaches (see Obama Seeks to Speed EMV Adoption).
"And even though I'm taking action today without Congress, Congress needs to do its part, as well," Obama said. "Today, data breaches are handled by dozens of separate state laws, and it's time to have one clear national standard that brings certainty to businesses and keeps consumers safe."
But despite the president's call and growing interest in Congress in enacting a national data breach notification law, no such bill has reached either the Senate or House floors in the current Congress. People familiar with the legislative process point out that business groups and consumer advocates with allies in Congress cannot agree on key provisions of data breach notification measures. Generally, businesses want less stringent data breach notification rules than do consumer advocates.
'Inaction Is Remarkable'
"In some ways the inaction is remarkable," says Peter Swire, senior fellow at the Future of Privacy Forum and professor at Georgia Tech's Scheller College of Business. "We had spectacular data breaches involving tens of millions of consumers, and even that is not enough to prompt Congress into action."
In the last four Congresses, the Senate Judiciary Committee has approved bipartisan data breach notification legislation, although none of the bills ever came up for a vote. But chances of that happening again in the current 113th Congress is diminishing.
Sen. Patrick Leahy, the Vermont Democrat who chairs the Judiciary Committee, has again sponsored a notification bill, but he's putting that measure on the back burner to push for Senate passage of another of his bills, the USA Freedom Act, which would rein-in the National Security Agency's bulk-collection program, a Senate senior staffer says.
"There's limited floor time, and the Judiciary chairman has to pick his spot," Swire says.
The Senate staffer says Leahy is working with the Judiciary Committee's ranking Republican member, Chuck Grassley of Iowa, to develop a bipartisan bill, but adds that it's unlikely that such a measure would be introduced in the current Congress. If Republicans take control of the 114th Congress, which begins on Jan. 3, Leahy no longer will be the panel's chairman, and his influence over legislation would be diminished.
Even without congressional action, data breach notification is regulated in most of the United States, but on a state-by-state basis; 47 states have enacted data breach notification laws (see States Advance Breach Notification Laws). But each state statute differs from the others. Many business groups would prefer to see a single, national statute to cut down on the paperwork involved in reporting data breaches.
Lots of Work
"It's a lot of work trying to address all the different requirements of each of the different states, the scope is different, the coverage is different, the requirements are different," says IT security and privacy lawyer Francoise Gilbert of the IT Law Group.
Still, just having a national bill doesn't solve the problem if lawmakers can't agree on the content of the legislation.
An analysis of four data breach notification bills before the Senate conducted this past week by the law firm King Spalding shows a big difference on requirements on timing of notification.
According to the analysis, the Leahy bill would require businesses that experience a data breach to notify individuals within 60 days or obtain approval from the Federal Trade Commission for a longer notification period. Legislation sponsored by Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., would require notification to affected individuals within 30 days. The measure championed by Sen. Richard Blumenthal, D-Conn., would require notification "without unreasonable delay." Legislation backed by Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper, D.-Del., doesn't specify a time, but leaves that up to regulators, as long as it's done quickly.
Not all situations are covered in each of the bills. For example, the King-Spalding analysis shows that the Leahy bill generally would require that notifications describe the personally identifiable information that was breached, provide a toll-free number to contact the business regarding the personally identifiable information it maintains and provide a toll-free number and address for the major credit reporting agencies.
The Blumenthal bill would adopt these requirements and adds disclosures of the telephone numbers and website addresses for "relevant federal agencies that provide information regarding identity theft prevention and protection." Rockefeller's bill would add a provision requiring disclosure of the right to obtain consumer credit reports and the FTC telephone number and website address for information about identity theft. Carper's bill would require that notices describe the information at risk, the actions taken to address the breach and the consumers' rights under the Fair Credit Reporting Act to place a security freeze on their accounts.