One of the more frustrating aspects to consumer protection from identity theft, data breaches, and cybercrime is the current state-by-state basis that our legal system uses to address this type of crime.
Consumers and businesses alike are subject to different laws, depending on where they’re located. But a new bill that has already come up for committee vote in Congress is working to establish a federal mandate for cybercrime, specifically in how businesses must respond to a hacking event or data breach.
The House bill—the Data Security and Breach Notification Act—which was put through by the Energy and Commerce Committee on April 15th, is already coming under fire and receiving some dissenting viewpoints from members of Congress. Even the chairman of the committee, Fred Upton (R-MI), openly stated that the bill isn’t ready yet. But there are some preliminary ways that the legislation seeks to protect consumers.
One thing it’s working to do is to mandate how and when a business must inform consumers that their information was accessed. The bill states that businesses only have to tell customers about a hacking event if it results in financial harm, but as the industry knows from medical data breaches, getting control of someone’s credit card number isn’t the only avenue to financial damage. Right now, some states have a rule in place that a business has to tell its customers about a hacking event regardless of the outcome, while other states have mandated the requirement to inform consumers only after a certain number of customers were affected. Still, some information is better than none, and this bill would require consumers be kept up to date on some data breaches.
Other sources of contention included the cap of $1,000 that businesses could be penalized (per consumer) for failing to inform customers of a breach; the original penalty was $11,000. A major issue for those who voted against this bill—which included all of the Democrats on the committee, including the original bill’s co-sponsor—is the broadening of the requirements for businesses to comply. The bill removed the very specific steps businesses must take in order to prevent the loss of consumers’ private information, and instead requires them to only use “reasonable security measures and practices.”
The stakeholders in a federal bill of this kind are still working to formulate a plan that can address the needs of both consumers and businesses. Even Committee Chairman Upton conceded, “I would confess that it’s not quite ready and probably won’t be quite ready when we get to final passage early this afternoon.” From here, the bill will move on to the House floor for debate, which will likely include strong mention of the National Cybersecurity Protection Advancement Act of 2015, a bipartisan effort to create an information sharing process to prevent cybercrime.