The patchwork of state data breach notification statutes, as well as federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA), all share the goal of encouraging organizations to adopt better security measures in order to avoid the embarrassment of public disclosure (in addition to other costs). After a decade and half of experience, it is now safe to conclude that this goal has not been met.
Massive data breaches have gotten more common in the years since these statutes were enacted. Indeed, the constant drumbeat of revelations about the latest hacking seems to be having the opposite of the intended effect on consumers – instead of making them cautious, it has made most consumers numb to the risk. A recent New York Times article headlined the problem this way: “Data Breaches Keep Happening. So Why Don’t You Do Something?” Another Times article asked, “How Many Times Has Your Personal Information Been Exposed to Hackers?”
Breach numbness is a real problem. While most breaches are highlighted in headlines, not all breaches are equal, and consumers may be confused about which ones matter most. The Equifax and Yahoo breaches were each very large, but they affected consumers in different ways. Equifax may have released key personal data, while the Yahoo breach provided hackers with hundreds of thousands of usernames and passwords. The Collection #1-#5 breaches were historic in size alone – however, as the name suggests, they were actually just collections of previously breached data. On the other hand, a less reported breach you won’t see in the headlines might be an auditor stumbling across HR files or a fired employee taking such files with her when she leaves. How these various breaches are reported changes based on industry and severity of the breach. Some (Equifax and Yahoo) were reported and constituents were notified, others (Collections #1-#5) were solely sprawled across headlines, and some (the auditor or the fired employee in the above example) may not be disclosed at all. All these incidents disclosed personally identifiable information (PII) in some way. In order to ensure the public knows their data was compromised there should be a standard procedure for determining whether and how consumer ought to be notified.
Breach Accountability is Confusing
Under the current fractured legal landscape, a single data breach is governed by the laws of each state in which impacted individuals reside – not the residency of the company that lost the data. Thus, if a company in one state suffers a hacking that implicates a database that includes the PII of individuals from all 50 states, the company that owned the database would likely need to abide by the data breach law of each individual state. This problem is almost certainly going to get worse as more states adopt proactive privacy laws, such as the California Consumer Privacy Act (CCPA), which takes effect in 2020.
To streamline the data privacy reporting process, the current data breach notification strategy needs to be updated.
Congress should create a single, federal data breach law that incorporates a reasonable risk of harm standard. By contrast, many state statutes do not include any provision requiring that notifications only be made if there is an articulable risk that the consumer could be harmed by the breach. As a result, individuals are routinely notified of data breaches that have very little risk of impacting them, substantially contributing to data breach notification fatigue.
Once Congress creates a federal privacy law, it will then need to determine how exactly the new law will be enforced. Until now, data privacy regulations and cybersecurity issues have been the responsibility of state agencies or at the federal level agencies enforcing industry-specific privacy regulations such as HHS, which oversees HIPAA violations, or the Federal Trade Commission, which enforces consumer protection laws. Other federal agencies use their pre-existing regulatory authority to address data privacy for those institutions they already govern, such as the SEC which has brought enforcement actions against public companies involved in data breaches pursuant to its regulatory authority over public companies.
The new federal privacy law should create a much clearer regulatory regime and, potentially, a new regulator to enforce it. A harder question for Congress to consider is whether a new statute should include a private right of action, as sought by consumer groups, to allow individuals to enforce privacy regulations even in the absence of government action.
A federal law should standardize how states and federal agencies handle data breaches, ensuring that all parties are on the same page when responding to a breach. The law should also list exactly which regulatory bodies should be involved and appoint a federal agency to oversee after-breach responses. If Congress makes some headway on this front this calendar year, we can start to address data breach numbness and take more steps to achieve our actual goal – keeping data safe from hackers.
About the Author:
Seth P. Berman leads Nutter’s Privacy and Data Security practice group. Corporations and their boards engage Seth to address the legal, technical, and strategic aspects of data privacy and cybersecurity risk, and to prepare for and respond to data breaches, hacking, and other cyber attacks. He may be reached at 617.439.2338 or [email protected].
