On December 19, 2013 Target reported that there had been unauthorized access to Target customers’ payment card data, which may have resulted in 40 million credit card numbers and personal information of up to 70 million individuals being exposed. The Target data breach was so significant and shocking that there are reports that a “cyber-thriller” movie based on the breach is in the works. Only months later, Neiman Marcus reported that 350,000 of its customers’ credit and debit cards had been compromised. At least 9,200 of those cards had been fraudulently used by February 21, 2014 – not an insignificant number. Data breaches are ongoing – just last month, the University of Maryland reported 287,580 records had been affected by a security breach, and earlier this month the California Department of Motor Vehicles reported a potential credit card security breach.
These security breaches are concerning for consumers, businesses and governments. Consumers risk being subject to credit card fraud and identity theft, as well as serious inconvenience. Businesses risk significant reputational damage which may result in loss of business, reduced profits and falls in share price (Target suffered a significant decline in profit and its stocks have fallen 9% since the data breach was reported). Businesses may also lose valuable confidential information such as trade secrets as a result of the breach. National and domestic security could also be compromised if government-related data security breaches occur.
So, what’s being done to address data breaches? Congress has responded to these high profile breaches by introducing a number of bills establishing a uniform, nationwide data security scheme, but so far no agreement has been reached on how to deal with these challenging issues.
There is general consensus that the existing data security laws are unsatisfactory. They differ significantly from state to state, creating “a complicated patchwork of requirements”, and also by industry (for example, specific data security regimes apply to entities covered by Health Insurance Portability and Accountability Act and financial institutions covered by the Gramm-Leach-Bliley Act).
To investigate the best way to deal with data security concerns, there have been three congressional committee hearings in the past two months that have focused on these issues: Senate Judiciary Committee’s hearing on “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime”; the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade’s hearing “Protecting Consumer Information: Can Data Breaches Be Prevented?”; and the Commerce Committee’s hearing “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches”. In each of these hearings witnesses called for the introduction of uniform federal legislation to address data security concerns.
Reflecting these calls for uniform nation-wide laws, four data security bills to establish a uniform national scheme have been introduced or reintroduced into the Senate in 2014: the Data Security Act (“DSA”); the Data Security and Breach Notification Act (“DSBNA”); the Personal Data Privacy and Security Act (“PDPSA”); and the Personal Data Protection and Breach Accountability Act (“PDPBAA”). Some of the key areas they differ on and are likely to be hotly debated by stakeholders include:
- how prescriptive the data security obligations are. The DSA imposes a general obligation on entities to “implement, maintain, and enforce reasonable policies and procedures to protect the confidentiality and security of” protected information (§3(a)), whereas the other legislation requires the FTC to promulgate regulations setting out security policies and procedures entities must comply with, which will likely be more detailed;
- the types of entities the data security and notification requirements apply to. For example, the security requirements in the PDPSA only apply to entities who handle personal information of “10,000 or more United States persons” (§201(b)) whereas the DSBNA applies more broadly to any entity that handles personal information;
- when the notification requirements arise. The DSA only requires disclosure where the relevant entity determines that the compromised information “is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers” (§3(c)), whereas the DSBNA requires notification irrespective of the harm or inconvenience caused;
- whether there is a private right of action. There is a private right of action under PDPBAA (§205), but no similar right is contained in the other legislation; and
- the amount of civil penalty that should apply to breaches – this ranges from no specific civil penalty in the DSA up to a capped $20 million per violation in the PDPBAA (§203(a)(1)).
Data security poses significant challenges for lawmakers, businesses and consumers, as illustrated by the recent Target and Neiman Marcus breaches and the variety of legislative solutions that have been proposed in response. Due to the rapidly evolving nature of technology, the legislative solutions will need to be flexible and able to adapt to changing threats. However, there appears to be general consensus that to reduce the burden on businesses and ensure that consumer information is adequately protected, nationwide rather than state-based laws must be adopted.