For nearly three months last summer, the sensitive personal data of more than 145 million American consumers was exposed to bad actors thanks to some “ham-fisted” behavior on the part of credit reporting giant, Equifax. Americans were outraged, and lawmakers began to scrutinize Equifax’s behavior during the breach, including three Equifax senior executives selling shares worth almost $1.8 million in the days after the company discovered the hack.
Since then, the Federal Trade Commission has opened an investigation, and members of Congress have introduced several bills proposing federal data security and breach notification regimes. To help you sort through this flurry of current and future proposed legislation, this blog post will take a closer look at four of the most comprehensive Congressional data security bills to determine how well they protect consumer data.
[pdf-embedder url=”https://www.publicknowledge.org/wp-content/uploads/2019/10/SecurityLegChart.pdf”]
Senator Leahy’s “Consumer Privacy Protection Act of 2017”
If there is anything that the seemingly endless succession of recent massive data breaches has taught us, it’s that consumers are consistently left in the dark regarding the whereabouts of their sensitive personal information. Equifax, for example, took months to announce its breach, and three months after the breach, millions of its customers were still unaware that their data had been compromised. On November 14, 2017, Senator Patrick Leahy (D-VT) introduced a comprehensive data security bill, which puts consumer privacy first and makes companies that hold your sensitive personal data accountable for their actions.
The Consumer Privacy Protection Act (S. 2124) requires covered entities to provide timely breach notification that gives individual notice to consumers where feasible, offers comprehensive facts about the breach, and provides identity theft protection to those whose data was compromised. The bill also requires companies to provide breach notification to law enforcement agencies and the FTC to assist in criminal investigations or to compile statistics for future regulations and legislation.
Corporations like the three major credit reporting agencies (CRAs) have business models built on the collection and sale of consumer data on the secondary market. CRAs have no incentive to be transparent about consumer data because consumers are not their customers – consumers are the product. In addition, these companies are very wealthy. The major CRAs, for example, make billions of dollars in revenue each year. The Leahy bill imposes substantial civil penalties on covered entities that fail to comply with the notice requirements, and liability caps for willful or intentional misconduct are the only limit to these penalties. This broad liability ensures that the punishment amounts to more than a “slap on the wrist.”
Requiring data collection companies to follow a robust breach notification protocol is an important consumer protection, but effective legislation should require companies to go a step further. The Leahy bill imposes practical and effective data security program requirements on covered entities, which include administrative, technical, and physical safeguards, privacy by design, employee training programs, vulnerability testing, and risk assessment/management measures. Importantly, consumers can also obtain a free credit freeze from a covered CRA at any time under the bill. To incentivize compliance, the bill also imposes substantial civil penalties on covered entities that fail to meet those requirements.
Consumers who are affected by a data security breach should be free to have their day in court. This is a basic tenet of due process that has disappeared from many facets of American life thanks to contracts that compel consumers to sign away their right to pursue legal action in court. The Leahy bill preserves consumer rights by restricting a CRA or other covered entity from including these mandatory arbitration clauses in their contracts.
While it is important for the federal government to set a “floor” of minimum standards of data protection for Americans, federal data security legislation should not preempt state laws. Forty-seven states and the District of Columbia already have data breach notification laws in place, and many states, such as Massachusetts, have passed comprehensive data security statutes. The Leahy bill preserves state authority, thereby allowing states to continue their traditional role as the first line of defense for consumer privacy and data security.
A comprehensive federal data security regime should not be established at the expense effective privacy rules and protections that already exist, especially at expert agencies charged with consumer protection of a specific industry or sector. For example, Congress deemed industries like healthcare, banking, and communications networks (and the information they use) sensitive enough to craft rules and protections at their sector-specific, expert agencies. Large cable, telecom, and online tech industry lobbyists have worked for years to single out and remove the protections at the Federal Communications Commission and its specialized data security enforcement authority, creating a race to the bottom in privacy and data breach protections. Section 222 of the Communications Act grants the Commission with the power to protect the customer proprietary network information (CPNI) that telecom companies collect over their networks. Fortunately, Leahy’s bill allows the FCC, the expert agency on communications networks, to continue to protect consumer data on those networks.
Representative Rush’s Bill, H.R. 3816
Representative Bobby Rush (D-IL), who has been active on these issues for years, has proposed data security legislation that imposes robust breach requirements on covered entities. In the event of a breach, the Rush bill mandates that a covered entity notify affected individuals, the FTC, and the Consumer Financial Protection Bureau. Covered entities are also responsible for reporting breaches of third party entities working on their behalf. Affected individuals can obtain ten years of quarterly credit reports or ten years of a credit monitoring service free of charge. Although the Rush bill mandates penalties of up to $11,000 multiplied by the number of violations of the breach notification requirements, it imposes a restrictive civil liability cap of $5 million.
A significant flaw in H.R. 3816 is that it does not require covered entities to implement a data security program. As we wrote in response to the Equifax breach, individuals should be able to expect comprehensive data protection legislation, which compels companies to better deploy security and training so that the next breach is less damaging for consumers. Unfortunately, the Rush bill fails to include a consumer privacy and data security program regime.
The Rush bill commendably makes it unlawful for covered entities to include contract clauses that require mandatory arbitration related to data breaches. The bill preempts state authority, however, including robust state data security laws that are more protective. Additionally, the bill strips the FCC of its expert authority to protect consumer data on communications networks. Congress mandated this FCC authority because of the sensitivity of communications. Without this sector-specific power, all types of communications are at greater risk, since every facet of our economy and civic life relies on secure communications.
Also of concern is that the Rush bill provides a general exemption from the breach notification requirements for covered entities that determine there is “no reasonable risk of identity theft, fraud, or other unlawful conduct.” This creates a “notice hole” where an entity can be aware of a breach yet not be required to notify affected consumers, businesses, and government authorities.
Senator Langevin’s “Personal Data Notification and Protection Act of 2017”
Representative Jim Langevin’s (D-RI) proposed legislation (H.R. 3806) shares many of the strengths and weaknesses of Rep. Rush’s bill. On the positive side, the Langevin bill requires covered entities to provide timely, individualized notification where feasible, a description of the data involved in the breach, contact information of relevant entities, and requirements to coordinate with the major CRAs, law enforcement, and the FTC for breaches impacting more than 5000 individuals.
Covered entities are exempt from the Langevin bill’s notification requirements if they pass a risk assessment conducted by or on behalf of the entity. While this implies an expectation that covered entities will implement some sort of a data security regime, it raises two important issues: 1) It allows for self-regulation, which has done little to deter breaches thus far, and 2) It allows third parties, which are incentivized to provide positive reports, to determine the quality of a covered entity’s security program. Unfortunately, the bill not only fails to address these issues, it also does not provide any express requirements for such a program, such as administrative, technical, and physical safeguards.
H.R. 3806 does not subject noncompliant covered entities to substantial new liability. Instead, a covered entity’s violations of the breach notification requirements are treated as “unfair or deceptive” acts or practices under the Federal Trade Commission Act. As noted above, this approach to liability fails to impose clear and substantial penalties on covered entities for data breaches, and therefore does not adequately incentivize companies to protect consumer data. In addition, the mere existence of a data breach may not necessarily give rise to actionable injury under the unfair and deceptive standard. In plain English, this means that even in the event of a massive breach involving sensitive data, consumers cannot count on the FTC to necessary hold covered entities liable.
The bill likewise fails to preserve state protections, singles out the FCC’s sector-specific authority for elimination, and does not include consumer-friendly forced arbitration restrictions.
Representative Schakowsky’s “Secure and Protect Americans’ Data Act”
A key strength of Representative Jan Schakowsky’s (D-IL) proposed bill (H.R. 3896) is its detail. Like the Leahy, Rush, and Langevin bills, the Schakowsky bill offers thorough breach notification requirements, which include similar mandates for timeliness, particularized information about the breach, and notification to law enforcement and relevant federal agencies. This bill goes further than its peers, however, by requiring covered entities to create and enforce robust data security measures. An entity must, among other things, implement a written security policy, identify a data security officer, identify and assess vulnerabilities, and incorporate a process for overseeing persons who have access to personal data.
As strong as the Schakowsky bill is in its detailed notification and data security program requirements, the bill imposes no new liability on noncompliant entities, opting instead to have the FTC enforce breaches as an “unfair or deceptive” act under section 18(a)(1)(B) of the Federal Trade Commission Act. As we discussed above, more substantial liability than the current ex post liability regime must be at stake in order to incentivize covered entities to protect consumer data.
The Schakowsky bill lets down consumers by allowing covered entities to include forced arbitration provisions in their contracts. The legislation also wrongly preempts state data security and breach notification laws and strips the FCC of its authority as the expert agency on the flow of data over communications networks.
Some Concluding Thoughts
This analysis focuses on seven principles that comprehensive data security legislation must incorporate, but it should be emphasized that this is not an exhaustive list. Other important components of a robust data protection bill are:
- Transparency and access requirements for entities that collect sensitive consumer data
- A broad definition of a covered entity
- A definition of data minimization practices, to clarify what personal information is relevant and necessary for specific purposes
- Liability on covered entities that conceal security breaches involving sensitive personal data
- Liability on covered entities for breaches of third party affiliates
- A broad definition of covered information
The Equifax debacle has provided a troubling illustration of the deficiencies in our current laws. Despite being subject to regulatory oversight, Equifax’s extraordinarily lax data protections and inadequate breach response were only scrutinized after something went wrong. Federal data protection legislation must fill the gaps in our current regulatory regime that are failing to protect consumers and giving corporations a free pass for bad behavior. Congress must not sleep on this important issue and should pass robust federal legislation to give consumer data the security that it needs and deserves.