Several previous attempts to pass national data privacy and security laws have failed, but the massive data security breaches reported in recent months seem to be motivating members of Congress. In 2014, lawmakers have been busy introducing legislation that would impose data security obligations designed to protect consumers from identity theft and account fraud. Three competing bills have been introduced in the Senate, and a fourth bill has been promised. Perhaps most interestingly from a claims and insurable risk standpoint, none of the three bills already proposed would permit private causes of action for data breaches.
Personal Data Privacy and Security Act
The first of these bills, the Personal Data Privacy and Security Act, was introduced for the fifth time by Senator Patrick Leahy (D-Vt.). Leahy’s bill would establish a national standard for data breach notification and require U.S. businesses that collect and store consumers’ sensitive personal information to safeguard it from cyber threats.
Key provisions in the bill include: (1) tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when it causes economic damage to consumers; (2) a requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and (3) an update to the Computer Fraud and Abuse Act to criminalize attempted computer hacking and conspiracy to commit computer hacking. Notably, however, this bill explicitly precludes a private cause of action for violations.
Data Security Act of 2014
Another bill, the Data Security Act of 2014, was reintroduced shortly thereafter by Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.). In reintroducing the bill, Sen. Carper cited recent breaches at national retailers as a basis for attempting to prevent technological advances from outpacing security measures in place to safeguard transactions conducted in person and online.
Modeled after the Gramm-Leach-Bliley Act of 1999, the Data Security Act requires entities such as financial institutions, retailers, and federal agencies to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply not only to businesses that take credit or debit card information, but also to data brokers that compile private information and government agencies that possess nonpublic personal information. An overarching goal is to protect consumers by replacing state laws that Sen. Carper has described as “patchwork” and often “inconsistent and conflicting.” Just as with the Leahy-sponsored act, however, private lawsuits would not be permitted.
Data Security and Breach Notification Act
Just weeks later, the Data Security and Breach Notification Act was introduced by a group of Democratic senators. Similar versions of this legislation were introduced in the two most recent Congresses. Key provisions include those that would require the Federal Trade Commission (FTC) to set security standards for databases that contain consumers’ personal information; establish breach notification requirements; incentivize businesses to adopt state-of-the-art technologies to combat hackers; and establish a two-pronged enforcement regime whereby the FTC and the state attorneys general would enforce the law, and breached companies would be required to notify a central, designated federal entity established by the Department of Homeland Security. That entity would, in turn, notify other relevant law enforcement and government agencies of the breach.
Although this bill would impose civil penalties and criminal penalties on corporate personnel who deliberately conceal a data breach, it also does not permit a private right of action.
Commercial Privacy Bill of Rights
Not to be outdone, Senator Robert Menendez (D-NJ) also has announced plans to introduce the Commercial Privacy Bill of Rights. His proposed legislation would limit the type of information a retailer or other entity can collect and how long it can be stored. It also would allow consumers to opt out of having their information transferred to third-party vendors. At the same time, the bill would seek to avoid unduly burdening businesses by providing safe-harbor provisions and, like the others, prohibiting private suits.
Undoubtedly, the most recent security breaches have proven to be a turning point in raising public awareness of cybersecurity risks. We often think that hacking situations occur only online or at e-commerce sites. The national retailer breaches have shown that personal data can be compromised in brick-and-mortar environments, as well. Although many data security breaches have not resulted in litigation or in regulatory actions, it’s a safe bet that plaintiff’s lawyers and regulatory authorities are hard at work inquiring into these breaches, while the breached companies ready themselves to potentially defend against lawsuits and respond to regulatory actions.
Under the proposed federal bills discussed above, stricter requirements and more stringent fines and penalties seem to be on the way for breached companies. But perhaps some may feel it beneficial to trade one set of legal requirements for the 46 state-based regulations that currently exist and to have private civil causes of action expressly prohibited.
Stay tuned to see which, if any, of the proposed bills’ provisions make their way into potential federal data privacy and security legislation.