You would think that everyone in Congress wants stronger cybersecurity and commercial security laws. However, Congress has been slow to address both these issues.
With recent news about more security breaches in the federal government, we may see renewed interest in passing a cybersecurity law. Draft legislation goes back to 2012, but Congress has not been able to agree on terms related to data sharing between the private sector and government entities. However, action on cybersecurity has picked up over the past months in both Congressional bodies.
In late December, in the closing days of the last Congress, the House and Senate passed, and the President signed, a series of smaller cybersecurity bills, though none provided data sharing protections. This past April, the House of Representatives passed legislation authorizing private-to-private, private-to-government and government-to-government sharing of cyber threat indicators and defense provisions, as well as providing liability protection for private-to-government sharing. The Senate is expected to consider similar legislation this summer, although floor time for that bill has not yet been scheduled.
Data Security and Breach Notification
Interest in a federal data security and breach notification law for the private sector had a lot of momentum earlier in the year, but has slowed somewhat in recent months. Currently we have 48 state laws, each with their own slightly differing provisions. Conflicts over strong preemption, overriding all the state laws, and inclusion of health data not covered by HIPAA (e.g. health care plan account numbers in the hands of employers) have not been easy to resolve. Also, jurisdictional disputes between commerce and financial services committees have contributed to the lack of progress. At the moment there are three bills under consideration in the Senate and two bills in the House.
The need for one federal standard grows every month as the states continue to amend their data security and breach notification laws. Most recently the Illinois legislature sent a bill to the Governor for his signature amending their law. Initially the bill included marketing data in the definition of sensitive data requiring notice. As passed, the bill kept marketing data in the definition of sensitive data, but dropped the breach notice requirement. This sets a very bad precedent, making it very easy to put marketing data back into the breach notice requirement at a later date and encourages legislators to include marketing data in the definition of sensitive data in other state laws, both in Illinois and in other states.
This is just one example of why we need a federally preemptive data security and breach notification law. Other states are amending their laws as well.
Call to Action
First, if you have a presence in Illinois, now is the time to reach out to the Governor to veto this bill, or at least veto the provision including marketing data in the definition of sensitive data. We only have a couple of months before the Governor acts, so don’t delay.
Second, encourage your congressional representatives to pass a federally preemptive data security and breach notification law and a cybersecurity law. We need one national standard, not a patchwork of state laws that are regularly amended for security breach notifications and a reasonable cybersecurity law.