Is Congress the Solution to Data Breach Notification?

Earlier this week, Pennsylvania’s Attorney General, Josh Shapiro, filed suit against Uber “for allegedly violating the state’s data breach notification law by waiting more than a year to disclose an incident that compromised the personal information of 57 million users.” To mitigate the fallout from the data breach, which occurred in late 2016, Uber paid the hackers $100,000 to destroy the data they previously stole (side point: it is also worth pondering why Uber would trust the same hackers who stole the data in the first place not to hold or disseminate that information—if they acted in a deceitful manner once to obtain the information, can they be trusted to not do it again?). Shapiro alleged that “Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach . . . Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year.” As was noted in Fortune, Uber was actually lucky in the sense that the European Union’s General Data Protection Regulation (GDPR) was not in effect at the time; otherwise, it may have been required to pay up to 4 percent of its global annual revenue in fines.

On a different but related development, Equifax announced last week that the data breach it suffered in 2017 was larger than initially believed. The new revelations show that an additional 2.4 million Americans are affected than previously thought. Although the company is offering free identity theft protection and credit monitoring, one is certainly skeptical of Equifax’s ability to follow through on that promise. It failed to protect sensitive information once already, while also failing to report the breach until several months after the company discovered the hack and knowing of the security flaw two months prior to the beginning of the hack but taking no action to adequately address the problem.

Between these two events, one thing is clear: Companies, particularly those who have access to and store sensitive information, must be held accountable for protecting consumers’ data.

At the moment, forty-eight states have legislation regarding disclosure of data breaches, although their ability to incentivize improved data protection by corporations and executives is questionable. As far as federal law is concerned, the current state of the law as it pertains to Article III standing is so unsettled that the outcome of a case (e.g., whether and how much Equifax may have to pay) could be entirely dependent on the forum chosen for litigation. There is a possibility (or probability) that the Supreme Court eventually weighs in to clarify some aspects of the law, but that would take years to accomplish and even then, there is still the risk of an ambiguous ruling.

The best answer could perhaps lie with Congress. Americans are growing weary of extreme political polarization, and data security is an area where bipartisan consensus may be achieved.

As early as 2015, Democrats and Republicans in the House of Representatives worked together to draft the Data Security and Breach Notification Act. Similarly, Senators Bill Nelson, Richard Blumenthal, and Tammy Baldwin recently introduced a bill by the same name in the Senate late last year. This legislation goes so far as to create “prison time for corporate executives caught deliberately concealing data breaches.”

Although Draconian, imposing such a punishment (and other requirements that could be articulated in the legislation) may be beneficial; state laws thus far have not served as a sufficient deterrent for some companies (see, e.g., Uber and Equifax). Moreover, if deliberate concealment of a data breach is a necessary condition to incur a prison sentence, the law would be specifically targeted at a narrow group of individuals that are indifferent to consumers’ personal information falling into the hands of hackers. A further benefit is that legislation passed by Congress could give courts clear standards to apply during litigation.

While it remains to be seen how many members from both parties will support the final legislation and the requirements it entails, the previous bipartisanship in the House is encouraging. Perhaps Republicans and Democrats can reach an overwhelming consensus on standards for corporate executives when it comes to data security and breach notification.