Data breach disclosure requirement has yet to materialize
Requiring disclosure of data breaches is one of those consumer-friendly goals that gets talked about a lot. But passing it into law? That's another story.
The 2009 Data Accountability and Trust Act passed the U.S. House of Representatives but died in the Senate. The Obama Administration, meanwhile, unveiled an expansive cybersecurity proposal last year that included a data breach provision.
"Any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.”
The White House fact sheet on the proposal said the disclosure requirement "helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.”
"The president put a lot of effort into developing a comprehensive and generally widely-praised privacy protection platform,” said Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group. "We want it stronger; industry wants it weaker, but it is pretty substantive.”
But Obama's platform remains in the proposal stage. Other aspects of the cybersecurity debate have kept Republicans and Democrats from passing legislation.
"The privacy issue is tied up on the Hill for a variety of reasons -- partly because privacy and consumer groups do not want it to preempt stronger state laws, but industry special interests do; because those industry groups also want it to be watered down as well as ensure that it preempts ALL stronger state laws,” Mierzwinski said. "Those special interests want to defeat any privacy law that might impact their wild-west use of personal information on the Internet.”
The fight in Congress has dragged on so long that the Obama administration is reportedly considering an executive order on cybersecurity, although it's not clear that such an order would include a data breach disclosure requirement.
The executive order "only initiates agencies to start policies and practices. Most likely it won't require public disclosure. It may not even mandate private disclosure to the government,” said Mark Jaycox, policy analyst with the Electronic Frontier Foundation, a think tank dedicated to free speech, privacy and consumer rights issues.
With no new requirement on the books for companies to disclose data breaches, we rate this a Promise Broken.
WhiteHouse.gov, "Fact Sheet: Cybersecurity Legislative Proposal,” May 12, 2011
Email interview with Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group, Nov. 16, 2012
Email interview with Mark Jaycox, policy analyst with the Electronic Frontier Foundation, Nov. 16, 2010
Associated Press, "Draft order seeks to improve US digital defenses,” Sept. 10, 2012
THOMAS, Cybersecurity Act of 2012, introduced July 19, 2012
Email interview with Eric Schultz, White House spokesman, Nov. 14, 2012
Bill requiring notice of security breaches passes House
On April 30, 2009, Rep. Bobby Rush, D-Ill., chairman of the Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection, introduced H.R. 2221, the Data Accountability and Trust Act of 2009. The purpose of the bill is to require "reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach."
The bill was co-sponsored by legislators on both sides of the aisle: Rep. Joe Barton, R-Texas, ranking member of the House Committee on Energy and Commerce; Rep. Cliff Stearns, R-Fla., the Republican leader on the Communications, Technology and the Internet Subcommittee; Rep. George Radanovich, R-Calif.; and Rep. Janice Schakowski, D-Ill.
In a statement before his subcommittee, Rep. Rush noted that similar bills have been introduced in the last two sessions of Congress. Two years ago, it even passed the full Energy and Commerce Committee by a unanimous vote, but then stalled.
The bill has faltered, Rush said, as a result of "jurisdictional disputes."
Still, with the bipartisan support it enjoys from co-sponsors, Rush expressed confidence that this time around, it will become law.
According to Rush, the bill "establishes notification procedures that a company must take when a data breach occurs in order to allow affected consumers to protect themselves. Companies do not have to initiate such notices if they determine that 'there is no reasonable risk of identity theft, fraud or other unlawful conduct.'"
On Dec. 8, 2009, the bill passed in the House with a voice vote. The next day, it was referred to the Senate Committee on Commerce, Science, and Transportation.
We move this promise to In the Works.
Library of Congress, H.R. 2221, the Data Accountability and Trust Act of 2009
Web site of Rep. Bobby Rush, Statement by Rep. Rush, Chairman Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection, at the Hearing on H.R. 2221, May 5, 2009