Cantor's Defeat: Impact on Breach LawPassing National Guidelines Becomes More Difficult
Kentucky became the 47th state to enact a breach notification law last week. And while a national law superseding the widely varying state statutes is long overdue, the primary election defeat of House Majority Leader Eric Cantor makes passing such a bill tougher.
Kentucky Gov. Steve Beshear signed into law two bills, HB5 and HB 232, one targets local and state governments and other public entities, such as public schools, state universities and law enforcement agencies, and the other aims at businesses and other groups operating in the state.
The nuances of breach notification laws across the country ... further complicate responding to multi-state breaches.
"It is important for government and private businesses to not only embrace the latest technology to protect sensitive information, but to also let people know when their personal data may have been fraudulently obtained," Beshear, a Democrat, said as he signed the legislation on June 11. "We all must be vigilant in protecting sensitive information."
The new statutes, which takes effect Jan. 1, require individuals whose personally identifiable information was exposed to be notified within 35 days of the completion of an investigation determining that a breach had occurred. Both laws stipulate the process organizations must take to notify customers, the public and consumer reporting agencies and credit bureaus. If the breach involves a public agency, the new statute requires the Kentucky State Police, auditor of public accounts, attorney general, Kentucky Department of Education or Council on Postsecondary Education be notified, depending on the public organization involved.
One of the bill's sponsors, Rep. Steve Riggs, points out that Kentucky had been out of step with most of the other states. "We need to be in uniformity with other states, especially the big commerce states that you think of, like Texas, New York and California," says Riggs, a Democrat. "That uniformity helps our business community here."
Mischaracterizing the Situation
Riggs, though, mischaracterizes the situation. True, Kentucky leaves behind Alabama, New Mexico and South Carolina and joins the ranks of the other states with their own data breach protection laws. But each state's statute differs from the others. States, for instance, differ on the amount of days before organizations notify consumers their accounts might have been breached. Different rules for different states make it tough for businesses operating nationally because they must adhere to 47 different state statutes.
"The nuances of breach notification laws across the country ... further complicate responding to multi-state breaches," says Joseph Lazzarotti, who heads the privacy, social media and information management practice at the Jackson Lewis law firm in Morristown, N.J. "Companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided."
Creating uniform national requirements for data breach notification through federal legislation would seem to be a no brainer that business would back. In fact, lawmakers have introduced nine bills in this Congress that address data breach notification, according to a congressional database. But don't count on Congress to pass any of them (see Why U.S. Breach Notice Bill Won't Pass). Cantor's defeat for the Republican nomination for the House seat in his Richmond, Va.-area district exacerbates the situation.
The rout of the No. 2 Republican in the House - Cantor loss by 11 percentage points - makes other lawmakers timid to act on nearly any bipartisan bill, even on what many would consider common-sense legislation. It's a toxic atmosphere in Congress, which explains why a data breach notification measure and other cybersecurity reforms can't get passed and sent to the Oval Office for President Obama's signature. The current Congress is on the way to enact fewer laws than any since the 1940s.
Another obstacle: Getting lawmakers to agree on the bill's language. There may be widespread agreement on a need for a national data breach notification law, but not necessarily on its provisions. Plus, business lobbyists likely will try to water down data breach legislation provisions to be make them less onerous, and in turn help businesses save money. If those lobbyists succeed, support among consumer advocates in Congress for a national law could evaporate.
Despite the recent breaches at Target and other businesses such as P.F. Chang's China Bistro, there isn't much clamor from the electorate to get lawmakers to act on data breach notification legislation. There's no political payback for a lawmaker to vote for a data breach notification bill, especially if it weakens protections found in their own states' laws. Americans have become more mindful of cyberthreats with every headline of a new breach. But the anxiety of being victimized by a breach hasn't risen to the level that voters demand their representatives and senators do something about it.