Congress urged to adopt national data breach standard

Congress should adopt a national data security standard to eliminate the patchwork of state laws and requirements that businesses must currently comply with and ensure that consumers are promptly notified that a cyber breach affects them, according to experts.

High-profile data breaches at Equifax Inc. and Uber Technologies Inc. highlight the urgency of reform on data security regulation, the experts testified at a House Financial Institutions and Consumer Credit subcommittee on Wednesday.

In the Equifax breach, more than 145 million Americans had sensitive personal information stolen, including Social Security numbers, driver’s license numbers, dates of birth and addresses — with the company aware of the vulnerability but failing to fix it for four months, said Marc Rotenberg, president of the Electronic Privacy Information Center and adjunct professor with the Georgetown University Law Center in Washington. The company also waited six weeks after it found out about the breach before notifying the public of the breach.

“I think our recent experience with Equifax demonstrates the need for prompt breach notification,” Mr. Rotenberg said. “As long as that software was not updated, the breach was ongoing.”

Uber’s breach exposed the personal information of 57 million customers and drivers in 2016, but the ride-hailing company paid hackers $100,000 to delete the information and did not disclose the data breach until a year later, Mr. Rotenberg said.

The experts urged Congress to implement a national standard covering breach notifications and other aspects of data security to supplant the current state-based regulatory system.

In 2003, California became the first state to enact data breach legislation, with 51 other U.S. states, territories and the District of Columbia following with variations of data breach legislation, creating a complicated patchwork of data breach notification standards, said Aaron Cooper, vice president of global policy with Washington-based BSA|The Software Alliance.

A federal bill should include “strong, yet flexible and scalable” data protection standards for all companies that handle sensitive personal information and safe harbor protection for companies that comply with federal data security standards, Nathan Taylor, partner with Morrison & Foerster L.L.P. in the firm’s financial services and privacy and data security practice groups in Washington.

Such a bill should require notification to consumers in the event of a breach that puts consumers at risk of harm and should pre-empt state safeguard laws and breach notification laws to “ensure that all Americans receive the same level of protection regardless of where they live.”

“In my view, we need a nationwide standard to address what is truly a national issue,” Mr. Taylor said. “When you review the current landscape of state laws, you find a complex matrix of inconsistent, sometimes duplicative and often contradictory requirements.”

But Rep. Maxine Waters, D-Calif., ranking member of the House Financial Services Committee, expressed concern that a national standard could be “a race to the bottom” and “not recognize that some states such as New York and Massachusetts have good standards, higher standards, and a national standard would certainly not match that.”

Experts and legislators disagreed on whether mandatory breach notification provisions in a federal bill should set a specific notification time period, such as 72 hours, with some citing reports that Equifax officials engaged in stock sales prior to the public announcement of the data breach to argue in favor of such a requirement.

“I think it’s really important that there be prompt notification, and I think the response from companies needs to be strong and immediate,” Mr. Cooper said. “But we also need to look at what’s going to be best for consumers, and one of the concerns about having an artificial deadline about when notification has to happen is that the initial information is not always the accurate information. It is more important that the information be accurate than it be fast.”

However, a federal standard is critical considering the data privacy standards being adopted in Europe and elsewhere, the testifying experts said.

There is a “growing divergence” between U.S. and European Union privacy laws, Mr. Rotenberg said. In the EU, the General Data Protection Regulation is set to take effect on May 25 and gives EU data subjects rights to breach notification within 72 hours of a breach and rights to be forgotten, meaning to have the companies controlling the data erase the personal information, among other rights.

“I think we need breach notification that’s almost immediate, but practicable — 72 hours, which the Europeans chose, is probably a good target,” Mr. Rotenberg said.

The Equifax data breach highlighted the importance of the U.S. moving on this issue because consumers in the United Kingdom, Canada and other countries were also impacted, he said.

“It’s very much in the long-term interest of the U.S. economy to strengthen our privacy laws because other countries are becoming increasingly concerned about the weak privacy standards we have,” he said.

Mr. Rotenberg also expressed concern about news reports that Mick Mulvaney, head of the Consumer Financial Protection Bureau, has pulled back from a full-scale probe of the Equifax breach.

“Why this is of particular concern is not simply about compensating the individuals for whatever harm they have suffered,” he said. “But it’s now almost six months since one of the greatest data breaches in U.S. history has occurred, and we still don’t know who’s responsible.”

“Rather than create a new authority, we should make sure current authorities do their job, and the last thing a current authority should do is drop an investigation that it already has the authority to pursue,” he added.