Just a few months ago, FBI Director James Comey observed that “[c]yber crime is becoming everything in crime.” One look at recent headlines tells you that he’s right. High-profile and large-scale data breaches have been striking a diverse range of targets, including retail, healthcare, hotel and entertainment companies. Law enforcement and security experts are quick to caution that those are just the breaches we know about. The motivation of those responsible for such data breaches can run the gamut from revenge to economic espionage. For this reason, no organization should ever assume that it is immune to a potential breach. The costs of such a gamble are simply too high: untold financial losses, including loss of intellectual property; costly and time-consuming litigation; government and regulatory investigations; and damaged confidence in the ability to protect personal, proprietary and customer information online. Clearly, corporate reputations are at stake as well as the company’s stock price. These are serious, and sometimes enduring, consequences. And, as people continue to connect their entire lives to the Internet, this unseen threat to our economic and national security is unlikely to go away any time soon.
{mosads}As Americans, we expect that when a threat of such endurance and severity is identified, our federal laws should promote better security. As organizations across the country deal with the potential for large-scale data breaches, there is one area in which Congress can and should provide immediate clarity and relief.
Currently, all but three states have their own data breach notification laws. This means that if a company doing business in multiple states faces a large breach of personal information, that company will immediately be obligated to identify and comply with a patchwork of state laws. These laws may impose different requirements on when and under what circumstances notification is required, and on the method and the content of the notification. In some states, failure to follow these specifications can result in fines, penalties or lawsuits. The result: at a time when immediate response and remediation is critical, these organizations and their counsel must first ascertain and negotiate compliance with any and all state laws that may be applicable to that specific breach. Seeking advice from lawyers or consultants who are well-versed in data security and privacy issues before, during and after any breach is a good idea, given the wide range of legal, regulatory and policy issues that can arise. But ambiguity in some state laws can complicate the legal issues, creating uncertainty where clarity is needed most. That’s just not helpful to the organization that is trying to comply with the law while dealing with the aftermath of a serious breach; and certainly not for the customers who rightfully want to know if their information has been compromised but also that their information is being protected today and in the future.
The president has stated he would put forward a new legislative proposal when personal data has been compromised. And Congress can lead and make it possible for businesses to focus on fixing the breach and safeguarding sensitive information, rather than navigating different administrative demands. There seems to be a general consensus within Congress that this legislation is needed, and needed now, in order to provide companies faced with a breach, or simply preparing for a potential breach, with clarity and certainty in their legal obligations. Whatever debate there is over the specifics of the language — including the strength of any preemption language — should not be an insurmountable obstacle. A federal data breach notification bill can and should be quickly passed by Congress and signed into law by the president.
Bono is a former congresswoman who represented California’s Inland Empire and Desert Region in the House of Representatives from 1998 to 2013. She is currently principle at FaegreBD Consulting in Washington, where she leads a technology, privacy and cybersecurity practice.