Last week, the House Energy and Commerce Committee published a discussion draft of a proposed breach notification bill – the Data Security and Breach Notification Act of 2015.
I'm a big fan of the principles at play here: as a consumer, I expect that if a company I have entrusted with my personally identifiable information (PII) has reason to believe that information has been compromised on their watch, they will tell me. I believe this kind of transparency is not only important, it should be a consumer right.
I also support a single approach across all 50 US States. Having 47 different state laws to address breach notification is better than having none from a consumer protection standpoint, but it places a heavy burden on companies doing business in the US. It's time to simplify this approach with one consistent standard for the entire country.
This is where the new bill proposal comes in, and it gets some things right in my opinion. But it also raises some questions and concerns, which I've outlined below. As usual, please remember: I'm not a lawyer!
Some Good Basics
Typically when thinking about data breach notification requirements there are several key points to cover, and I like how this bill proposal deals with a couple of them:
Thresholds for disclosure
The original proposal published by the White House in January indicated that ANY compromise of personal information should trigger a disclosure. That concerned me, because it meant that a researcher uncovering a vulnerability and accidentally accessing PII would result in an organization needing to disclose, and my worry was that would lead to increased vendor defensiveness, and an even stronger approach taken against researchers. The bill proposal addresses this concern by stating that notification only occurs when:
“the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud...”
It should be noted that while that addresses my research disclosure concern, some consumer protections and privacy advocates will probably prefer this threshold not exist, and notification to occur whenever PII is accessed. It will be interesting to see whether this stays in the bill or not.
Considerations for impact on small businesses and non-profits
There is a very valid concern that a data breach notification statute creates a crippling burden for small businesses and non-profits that have limited resources and staff. These kinds of organizations may in many cases be the easiest targets for attackers, and the least able to deal with the fallout. We don't want to lose these kinds of organizations or stifle innovation and entrepreneurship. This proposal acknowledges this and makes appropriate allowances for these kinds of organizations. Generally it seems keen to make sure all requirements are proportionate to what can be reasonably expected of a business given its size and resources.
Room for Improvement
There are some parts that look to be going in the right direction, but could do with some tweaking. Before I get into them, I want to flag that this is a discussion draft of the proposal, and so I think the whole point is that people will read it and provide feedback and questions like the ones below. Hopefully going through this process will lead to a stronger eventual outcome.
The definition of “Personal Information”
This is lengthy, so I'm not going to reproduce it here, but it's on pages 20 and 21 of the proposal if you want to take a look. This covers a lot of the right things, but I think there are some important things missing – for example there's no reference to health or geo-location information.
Timeline and means of communication for disclosure
Here we see another departure from the White House proposal, which stated organizations would have up to 30 days to notify. This was a concern as some states have more stringent requirements and it would be a miss to see a federal law worsen the situation for those already covered. This proposal addresses that concern by stating that disclosure must be made:
“as expeditiously as possible and without unreasonable delay, not later than 30 days after such covered entity has taken the necessary measures to determine the scope of the breach of security and restore the reasonable integrity, security, and confidentiality of the data system.”
In theory this brings the proposal in line with the most stringent state laws for breach notification timing. The wording on when the clock starts is a little vague though – on restoration of “reasonable integrity, security, and confidentiality.” I think the challenge for me here is the word “reasonable” feels too open to interpretation, and full clean up can take a very long time. In terms of breach notification, I think the crucial elements are that you need to have regained control over your network and assets, and determined who is impacted, and how. I'd tweak the wording to more specifically call that out as the point when clock starts.
The piece around means of communication all seems pretty reasonable and straightforward, though I imagine companies won't like having to keep it posted on their site for 90 days.
References to cybersecurity measures
There are two areas that touch on this, one on the need for security measures and the other on the role of encryption.
Let's start with the need for security measures:
I work for a security company so it's not too shocking that I like that it pushes for security measures. My concern is that there are no real guidelines here to make this into a real requirement. I'd love to see some specifics on what the requirement should be or what “appropriate for the size and complexity” means. There are some conversations starting to happen on the Hill around what sane basic security hygiene requirements might look like and this could feed in here. If you have thoughts on the kind of basics that could be mandated, please share in the comments below.
The part on encryption comes in the definitions section (I'm on page 19 for those following along). There is a definition for encryption which ties further in to the definition of personal information:
Creating an exception for encryption makes sense, but I am concerned that the way this is worded is too broad to ensure stringent practices are being followed. Not all encryption standards are created equally after all.
Beyond Breach Notification
One thing that's interesting about this bill is that it's not JUST about breach notification. The title itself indicates that the bill seeks to go further and address broader data security concerns. It makes a start towards this with the section mentioned above where it sets a requirement for security measures to protect sensitive information. Hopefully some meat might be added to make that section more impactful.
Another, more concerning area where we see the allusion to broader data security reach is in this section:
This seems to indicate that the bill will trump any other state law relating to “the security of data in electronic form.” I'm not sure whether this is intentional. I understand that the bill needs to pre-empt state breach notification bills if it's to alleviate the strain on businesses, and that makes sense to me. But also pre-empting other kinds of data security laws seems unnecessary and strange.
My concern is that this bill could inadvertently establish a dangerous precedent in how we view the responsibility and role of organizations in protecting their customers from cybersecurity threats in the future.
To give you an example, say a state had a law mandating certain security measures be taken by businesses, or perhaps a law pushing some form of liability for poor security practices and standards in code development, this bill could potentially nullify those laws given the way this section is currently worded. That would mean consumers couldn't benefit from the intended protections of such laws, which seems kind of at odds with the stated purpose of the bill, so I'm inclined to think this wording may be unintentionally broad. Hopefully we'll see it edited to focus more clearly on pre-emption for breach notification only.
Will the Bill Protect Consumers?
I think the bill has potential. Yes, in its current form it needs quite a bit of work, but I suppose that is the point of a discussion draft, and we will likely see some updates to the language currently being circulated.
Tackling cybersecurity legislatively is never going to be simple, and this bill is effectively trying to do two things – mandate notification behavior AND address the need for security measures. I'm not sure it's able to do both well and also keep the bill simple and easy to apply. It will be interesting to see how the language evolves.
Rapid7 will be providing feedback on the proposal to try to explain these concerns and get them addressed. If you're concerned about the potential outcome of this legislation, I encourage you to do likewise. It falls to those of us in the security community to take the lead on helping others understand our world and how best to navigate it.