Drafting a National Breach Notification LawExperts Disagree on Elements for Such a Measure
As Congress prepares to draft federal breach notification legislation, lawmakers must decide whether the measure should also include provisions to regulate information security to help prevent breaches.
Many businesses find complying with a patchwork quilt of 46 different state data breach notification statutes burdensome and agree that a single, federal law would relieve much of that load.
"One strong, uniform federal system that promotes predictability and certainty for consumers, consumer protection authorities and businesses, and reduces duplication, compliance costs and inconsistencies, is much [more] preferable," Kevin Richards, senior vice president of federal government affairs at TechAmerica, a technology industry lobbying group, told a House panel on July 18.
But advocates for such federal legislation disagree about what should be included in a federal breach notification law.
At the hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade, two academics offered different visions of the legislation, one more far-reaching than the other.
Andrea Matwyshyn, an assistant professor of legal studies and business ethics at the University of Pennsylvania's Wharton School, says a federal data breach notification law should focus just on notification. She sees no immediate benefit to regulating information security.
But David Thaw, visiting assistant professor of law at the University of Connecticut, contends breach notification requirements alone would be substantially less effective at preventing reportable security breach incidents than a combination of breach notification and comprehensive information security regulation.
What's at issue here are provisions found in some state breach notification regulations, such as Massachusetts' law, that give regulators the authority to promulgate rules that define the standards to protect personally identifiable information.
In the healthcare sector, federal HIPAA regulations and the new HIPAA Omnibus Rule, which modifies HIPAA, spell out data security as well as breach notification requirements.
Leaving IT Security Regulation to States
Matwyshyn says states' breach notification laws provide Congress with enough guidance to determine how best to require businesses to notify consumers of a breach. But, she says, experience at the state level has not produced a similar national consensus on information security liability.
"The states have shown us the way and adequately experimented with notification," Matwyshyn says. "The question of liability - how to craft it, what the standards are, what reasonable conduct is - [remains] a moving target and still very undeveloped. These questions are tied to broader questions of software liability generally, and if we start to regulate too early, we may disrupt the existing bodies of law and stifle innovation that is responsible for consumer protection."
Matwyshyn suggests that the states should retain the authority of regulating information security conduct, acting as a laboratory of sorts to identify best ways to regulate conduct. "At this juncture, it is dramatically premature and undesirable to federally limit liability for information security misconduct demonstrating a lack of due care," she says.
Linking Notification, Security Regulation
Thaw, however, says linking breach notification and information security regulation would protect consumers' interest. Besides, he says, most states lack the technical expertise to develop meaningful information security regulations, so the federal government should take on that task.
"This is a highly interconnected issue across the entire country, and I do not believe that the states have sufficient resources for enforcement or for simply providing for research and investigation necessary to know what standard would be effective at the national level as opposed to a state level," he says.
Thaw says his research on the efficacy of breach notification and cybersecurity regulation reveals that organizations employing a combination of breach notification and comprehensive information security were four times less likely to experience a breach than those instituting breach notification requirements alone.
He says adopting standards for breach notification without comprehensive information security regulation would create "definitional lock-in" for categories defined to serve the purpose of breach notification, such as Social Security numbers and other personal information, but not well-suited for later adoption to broader, comprehensive information security regulation.
"If a definition of information to be protected is developed based solely on consumer breach notification, the downstream information security implications will be costly," Thaw says. "Either organizations must engage in expensive reclassification of information and redesign of their information security programs when new regulations are subsequently implemented, or large areas of information may be left vulnerable if the regulations fail to expand the definition of information to be protected. In either case, the cost of considering breach notification separate from comprehensive information security measures would be high."
The odds are against the current Congress adopting Thaw's approach. Nearly all Republicans in Congress, especially those in the House of Representatives, oppose any legislation that contains new regulations, so the likelihood of passage of a federal breach notification bill that incorporates provisions to regulate IT security liability is slim, at best.