It hasn’t been swift or without controversy, but the cybersecurity legislation is making its way through the ranks on Capitol Hill.
The Data Security And Breach Notification Act of 2015, as it’s formally known, was officially introduced into the U.S. Senate last week (April 16) from Sen. Tom Carper (D-Delaware), and Sen. Roy Blunt, (R-Missouri). This bi-partisan bill is being pitched as a mode to introduce a “clear set of national standards that would help the prevention of and response to data breaches at public and private institutions,” according to the language presented in the bill.
The cybersecurity bill, which was initially sponsored by Republican Rep. Marsha Blackburn and Democrat Peter Welch, has made its way through the House Energy and Commerce Committee, with several revisions and amendments as both sides of the isle have debated the measure heavily.
Carper said the bill will “ensure that we have common sense measures in place to safeguard the transactions we conduct every day in person and online,” and commented that the law is a “comprehensive” bi-partisan effort to set clear national standards for data protection and breach responses. While the Gramm-Leach-Bliley Act of 1999 created a framework for such legislation to build from, the Data Security Act is intended to add some uniformity to the practices.
The American Banking Association has also shared its support for the legislation.
“This bill will help facilitate increased cyber intelligence information sharing between the private and public sectors, and strikes the appropriate balance between protecting consumer privacy and allowing information sharing on serious threats to our nation’s critical infrastructures,” Frank Keating, ABA President and CEO, wrote in a news release.
“Cybersecurity is a top priority for the financial services industry, and the Senate and House bills would help protect America’s cybersecurity infrastructure against current and future threats,” he continued. “Banks invest hundreds of millions of dollars every year to put in place multiple layers of security to protect sensitive data. Protecting customers is our top priority. We look forward to working with Congress to pass cybersecurity legislation in the House and Senate and get it enacted into law as soon as possible.”
While some legislators have argued the bill is too vague and overarching, others think there needs to be more provisions about enhanced consumer data protection at the state level — as well as the federal. Democrats against the bill have pushed to have more specifics included, while proponents of the bill think tailoring it too much would hinder the impact of the legislation.
“I am very concerned,” Rep. Frank Pallone (D-N.J.) said last week. “I just think that this is moving much too quickly. There are a lot of changes that I think need to be made. I’m very concerned, particularly, about the preemption issue. All of these things need a lot of time and work … I would like to see the process slowed down.”
The bill requires that a business inform customers within 30 days if their data might have been stolen during a breach. The clock starts after the business has discovered the breach and conducted a good-faith investigation to determine if there’s a reasonable risk of identity theft, financial fraud or economic loss or harm, and restored the security of the breached systems.
In addition, the amended bill would require breached third-party vendors to notify affected consumers on the same schedule.
But the bill also preempts state notification and security requirements, many of them conflicting. Opponents of previous breach bills have fought for a single national standard both for notifications and security requirements. The new legislation bumps out specific requirements that exist in 49 states in favor of maintaining “reasonable security measures and practices.” That last section, in part, has been one aspect of why the bill has been so controversial because some legislators have said it is too vague and could lead to being overly intrusive in business and consumer privacy.
In an interview with The Washington Post, Blackburn spoke about the need to address data security on a national scale.
“Every American deserves to have their personal information protected, but right now only 12 states have data security requirements,” she said in an emailed statement. “We want to provide strong protections to everyone, and we go even further than most of the states that do have security laws.”
Welch, the other co-sponsor of the bill, said that without national protection, Americans can’t be guaranteed protection.
“I am usually, almost uniformly opposed to preemption — but this is an instance where unless you have a national standard you won’t have protection,” he said.
But as the cybersecurity bill moves forward, critics of the bill have voiced concerns about the impact of the bill.
“[The bill is] weaker than the data security and breach notification standards that consumers currently enjoy under stronger state laws and existing federal law. We aren’t opposed to efforts to establish a uniform national standard for data security and breach notification, but the new standard shouldn’t be weaker than the status quo,” Laura Moy, senior policy counsel of the New America Foundation’s Open Technology Institute said in an interview last week.
When the bill moved forward last week, the National Retail Association released a statement from Senior Vice President and General Counsel Mallory Duncan.
“We need strong tools to combat criminal data breaches. Throughout this process, it has been our goal to work toward legislation that advances and strengthens consumer protections and incentivizes businesses to safeguard sensitive data. NRF commends the committee leadership and bill sponsors for their dedicated efforts to reach these important goals,” she said. “In order to be successful, data breach legislation must secure a single national standard and match any penalties to obligations so as to avoid adverse effects on small and medium-sized businesses attempting to deal with the scourge of criminal hacks.”