Senate Consumer Protection Subcommittee Refocuses on Data Breach Legislation
Senate Consumer Protection Subcommittee Chairman Jerry Moran, R-Kan., and other members revisited possible data hack legislation Tuesday during a hearing on the Uber breach affecting 57 million accounts and vulnerability identification purposes. Uber disclosed its incident in 2017 after concealing it for a year (see 1711270047). Democrats, including ranking member Richard Blumenthal, D-Conn., chastised Uber, with Blumenthal saying the company effectively engaged in “almost a form of obstruction of justice.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Blumenthal and Senate Commerce Committee ranking member Bill Nelson, D-Fla., used the hearing to highlight their Data Security and Breach Notification Act (S-2179), which would require companies to notify consumers of data theft within 30 days. It also would direct the FTC to develop security standards to help businesses protect consumers' personal and financial data and provide incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach (see 1711300065). Nelson said he will continue working with Senate Commerce Committee Chairman John Thune, R-S.D, on compromise legislation, but any bill “cannot simply cater to corporate interests” and must provide consumer protections at a national level that are above the protections already enumerated in state-level statutes.
Senators' desire to compromise on breach legislation “increases” with each Uber-level problem, but “there are still broad issues that need to be determined,” Moran told reporters: “We continue to have questions about the definition of what information is included in the breach, what the notice requirement is and then the issue of pre-emption” of state-level laws. “I think we can find compromises and solutions to those kind of questions,” Moran said.
Moran said during the hearing he's particularly interested in clarifying “what policy safeguards are currently in place to prevent bug bounty programs from being used as extortion pay-out mechanisms in the future” after Uber gave the hacker $100,000 in 2016 via HackerOne's bug bounty program. But bug bounty programs also “serve a valuable purpose, and therefore legislation needs to encourage … free-market attempts to eliminate the breaches and their consequences,” Moran told reporters. Extortion is “already illegal,” but “we want to hear from law enforcement if there is something missing” in statute, he said.
Uber Chief Information Security Officer John Flynn endorsed the need for a national notification law, as did HackerOne CEO Mårten Mickos. Consumers Union Director-Privacy and Technology Policy Justin Brookman and Luta Security CEO Katie Moussouris were more hesitant. Moussouris doesn't want a national data breach law to result in “unintended consequences” or result in the pendulum swinging “backwards.”
Uber recognizes its response, including its payment, was faulty, Flynn said. “Our primary goal in paying the intruders was to protect our consumers’ data,” Flynn said. “This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.”