The issue of cybersecurity is back in front of Congress in the wake of the news of the data breach at Equifax Inc., which reportedly has affected approximately 143 million consumers. Various industry trade groups, including the National Retail Federation, wrote a letter to Congress to advocate a sweeping uniform national law to deal with data breaches that would preempt the existing patchwork of state laws. Importantly, the letter points out that data breaches most strongly affect the financial services industry. According to the 2017 Verizon Data Breach Investigations Report, up to 24% of all data breaches are in the financial services industry, more than any other industry.
Given the vulnerable state all businesses find themselves in concerning data security, the letter argues that a national law on data breach notification should have four components:
- Preemption: Any new law would have to preempt the existing patchwork of state- and industry-specific laws, and provide a standard that would apply uniformly across industries nationwide whenever there was a breach.
- Data Security Standards: The data security requirement should be based on a “reasonableness” standard, similar to the existing consumer protection laws, and consistent with the current standard used by the Federal Trade Commission (FTC).
- FTC Enforcement Regime: The existing FTC enforcement framework should be retained, focusing on the fact that the FTC must bring an action requiring a business to stop behavior that the FTC deems to be a violation of law. The FTC cannot seek civil penalties until it establishes what a violation is.
- Notice Obligations: There should be a notice obligation to consumers in every instance where there is a breach of sensitive personal information that creates a risk of identity theft or financial harm. Any new law should not allow for industry-based exemptions or for companies to shift the notification burden to third parties.
The letter notes that data security threats impact a wide variety of businesses because commerce is so interconnected. The trade associations cited, as an example, the data breach at Verizon’s contractor, which exposed millions of Verizon’s customers’ personal data. Verizon was compromised even though the breach affected a third party, illustrating the interconnected liability of companies today. By implementing a national law that applies uniformly, both companies and their customers will be protected. In addition, customers will be notified more quickly and uniformly, and no particular industry will be disproportionately targeted with prohibitive compliance costs.
There are benefits to the financial industry if a national law, with a reasonableness standard, is implemented. It would allow for greater protection against industry loss because of the reduction of possible fraudulent activity if consumers are alerted more quickly and consistently across industries. Moreover, for larger, national companies, it will make compliance easier because there would only be one law with which to focus on complying, as opposed to the current patchwork of various state laws.
Given this latest, large scale breach, it is increasingly likely that a national law like the one proposed will be put forward, as consumers pressure lawmakers for some action on cybersecurity. Lendlerlaw Watch will monitor any developments on possible legislation.