Anthem Data Breach Underscores Need for Federal Pre-emption, Say Witnesses, Senators at Hearing
A pre-emptive federal data breach notification law is necessary to reduce the complexity of dealing with such breaches, both for businesses and consumers, several witnesses told the Senate Commerce Consumer Protection Subcommittee at a hearing Thursday. But Illinois Attorney General Lisa Madigan said notification concerns are “overblown” and any federal standard must be stronger than current state laws.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The hearing was marked by health insurance provider Anthem’s Wednesday announcement of a data breach potentially affecting 80 million of its customers. Anthem’s ongoing investigation into the breach hasn’t shown that medical or credit card information was stolen, but names, Social Security numbers and employment data were among the breached material, said CEO Joseph Swedish in a statement.
Some experts are calling the Anthem breach the “largest healthcare breach to date,” said subcommittee Chairman Jerry Moran, R-Kan. The need for a federal data breach notification law, rather than a “patchwork” of state laws, “becomes clearer each day,” he said. Subcommittee ranking member Richard Blumenthal, D-Conn., called the Anthem breach “absolutely breathtaking in its scope and scale” and “mind bending in its impact.” Madigan said that because the Anthem breach doesn’t appear to involve medical data, it wouldn’t fall under the Health Insurance Portability and Accountability Act and would likely be handled at the state level.
White House Cybersecurity Coordinator Michael Daniel said the Anthem breach shows that data breaches will continue to be an issue in 2015. “It’s quite concerning that we would have yet another intrusion of this size” after multiple high-profile incidents in 2014, Daniel said during a Bloomberg Government webcast. “It’s one of those things that’s particularly disturbing, especially when it is that many people.” Daniel said it was too early to know what the implications of the Anthem breach will be but “I’m sure we’ll be learning a lot more over the next few days.”
Blumenthal told Mallory Duncan, National Retail Federation general counsel, he was “troubled by the failure of some retailers to take responsible steps to protect consumers” in the event of a data breach. Blumenthal cited some retailers’ refusal to disable breached payments terminals and to implement mobile payment technologies. He said he was “struck” by Duncan’s notification proposal for common law pre-emption. If the notification requirement isn't clear “across the board, courts will strike down” any conflicts with state law, said Duncan. Such an approach to pre-emption is “broader” than the subcommittee should consider, said Blumenthal. “A narrow pre-emption [standard] is more appropriate.”
The “very nature of this problem is that it’s interstate,” said Duncan. Small startups have instant connectivity through the U.S., not just in individual states, he said. This is a “national problem.” A federal notification law would encourage companies to “raise the cybersecurity bar,” said Doug Johnson, American Bankers Association senior vice president. He said the Gramm-Leach-Bliley Act could be a model for a federal notification law. That law required financial institutions to safeguard sensitive data and explain their data-sharing practices.
Subcommittee member Roy Blunt, R-Mo., asked whether “arbitrary deadlines” for companies to notify consumers of a breach would be helpful. Such deadlines wouldn’t be “useful,” said Yael Weinman, Information Technology Industry Council general counsel. Because all data breaches are “different,” the “right approach is flexibility,” she said. Deadlines won’t take into account that “smaller organizations” have fewer resources, said Ravi Pendse, Brown University chief information officer. Subcommittee member Steve Daines, R-Mont., said a 30-day notification period seemed “unacceptable.”
Congress needs to examine the strongest state notification laws, citing those of California, Florida, Indiana and Texas, said Madigan, the Illinois Attorney General. It’s essential to see how to those laws have adapted to new technologies like biometric data, she said.