Yahoo Breach Spurs Focus on Federal Notification Legislation; Ohlhausen Backs It, Too
Congress likely will see legislation next year that would require organizations that suffer a data breach to notify the public in a timely manner, experts told us Wednesday. If history is any indication, they don't expect any such legislation to move. That's even after Yahoo's announcement last week that personal information of its more than half a billion account users was stolen nearly two years ago (see 1609220046 and 1609230026). And two of the FTC's three members have told us that the commission unanimously wants a national law.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“Historically, there’s always been support for this," said attorney Christin McMeley, who heads Davis Wright's privacy and security practice. "Once you get into the details, that’s where things start to fall apart." Details of what triggers a data breach and when consumers should be notified, whether there should be a law enforcement exception and what will happen with the common carrier exception are the sticking points, said experts.
"I think for the last few years, people have said in advance of each new year, 'Surely, Congress will make federal data breach legislation a priority this coming year' and [then] make reference to latest big data breach," emailed Seyfarth Shaw privacy and security attorney Karla Grossenbacher. It seemed something would happen after 21.5 million individuals had their Social Security numbers and other personal information stolen in last year's Office of Personnel Management breach (see 1507090049 and 1508030062), but there appear to be "too many disagreements on what such federal legislation should look like," she said.
Jedidiah Bracy, an editor with the International Association of Privacy Professionals, said the Yahoo breach and notification legislation were on the minds of several senators at the Senate Commerce Committee's FTC oversight hearing Tuesday. "But we’ve seen momentum for such legislation build in the past, particularly after the Target and Anthem breaches, only to see momentum wane," he said. At Tuesday's hearing, Sens. Richard Blumenthal, D-Conn., Ed Markey, D-Mass., and Dan Sullivan, R-Alaska, asked FTC Chairwoman Edith Ramirez about the need for data breach notification, which she said the commission supported, recommending companies publicly report a breach 30 to 60 days after the incident. After the hearing, she said additional authority and federal standards are needed on the issue (see 1609270033).
In a statement Wednesday, FTC Commissioner Maureen Ohlhausen echoed Ramirez, saying federal legislation should strengthen the commission's existing authority governing data security standards and require companies to notify consumers of a data breach. Any legislation should give the FTC the ability to seek civil penalties as a deterrence, rulemaking authority under the Administrative Procedure Act and power to bring cases against nonprofit organizations and common carriers, she said: "Under current laws, the FTC only has the authority to seek civil penalties for data security violations with regard to children’s online information under [the Children's Online Privacy Protection Rule] or credit report information under the [Fair Credit Reporting Act]."
Blumenthal and Markey are co-sponsors of S-1158, introduced by Sen. Pat Leahy, D-Vt., that would make it a criminal offense to conceal a breach and not notify consumers 30 days after an incident. The bill, among at least nine similar bills introduced last year, carries some national security and law enforcement exemptions and would pre-empt state laws. A House Commerce Committee spokeswoman said that "data breach has been a primary focus for the committee and is a topic we’ve addressed through prior legislation. In light of Yahoo's recent data breach, this is a subject that we will continue to monitor."
State attorneys general had lobbied against congressional legislation, saying state laws have gained strength since the first ones were enacted in 2003. McMeley said many state laws are adding new data elements such as health information, user names and passwords. "They’re strengthening their laws and I think their concern is that with a federal law they would lose the ability to be able to do that,” she said.
The National Association of Attorneys General pointed us to a 2015 letter sent to House and Senate leaders that said federal legislation would curb states' power to respond effectively to affected consumers. The letter said placing enforcement and regulatory authority with one federal agency would hamper the effectiveness of any federal law, and there are too many breaches for one agency to deal with.
Bijan Madhani, Computer & Communications Industry Association public policy and regulatory counsel, said industry supports a national bill because it's difficult for companies to deal with a patchwork of state laws. But he added there needs to be more discussion because there are so many factors to consider. He said narrower federal notification legislation would probably be easier to pass than one that's more comprehensive and addresses civil penalty authority for the FTC, jurisdictional questions and security standards, for example. "It's sort of a Pandora's box of issues," he said.
Experts also said another factor will be the priorities of a new president and Congress. and things could change especially with legislation against state-sponsored hackers. Questions to the Hillary Clinton and Donald Trump campaigns weren't answered. While national legislation would simplify things for companies dealing with many state laws, McMeley said, "the truth is, from a practical standpoint, they’re all used to it at this point. And [state laws are] not so different -- most people have figured out how to get it down to form letters."