Federal policymakers are ramping up consideration of privacy and breach notification legislation. This latest effort is driven by several converging events – the Equifax breach, concerns related to Cambridge Analytica's use of social media data, international requirements on security and privacy (such as GDPR), and the patchwork of state data security and breach notification laws.
A baseline requirement for commercial data security is frequently part of these discussions, but sometimes as an afterthought. This issue deserves close attention to ensure it is both effective at protecting users while flexible enough to be practicable.
This post sketches some of Rapid7's high level positions on commercial data security regulation. We would evaluate any regulatory proposal holistically and there are many possible approaches, so we are not committing to specific language here. We also recognize that federal commercial data security legislation is unlikely anytime soon, though states have been increasingly active in this area. Feedback on the principles below is welcome.
Support for comprehensive data security protection
As of June 2018, all 50 US states (as well as the District of Columbia) will have data breach notification laws. It is a testament to the enduring plague of breaches, and state legislatures' efforts to address it, that we have unlocked the dubious achievement of Patchwork Supreme. Increasingly, states are looking to directly require minimum security standards for personal information held by the private sector – at least 17 states (including, most recently, Alabama) now have such laws, and they can differ considerably by state and industry sector.
The fragmented landscape of state data security and breach notification laws does not serve consumers or businesses well. Consumers in different states are subject to uneven levels of protection, and the sheer complexity of the laws makes it more difficult for businesses of all sizes (which are now capable of being global businesses) to comply.
Rapid7 supports a unified and comprehensive data security standard for personal information that is clear and flexible enough for a wide variety of users and businesses to understand and implement. However, if current data security laws are preempted, a federal replacement should not establish substantially weaker protections than the status quo.
Separate from breach notification and privacy
While privacy and breach notification are both important issues, it is worth emphasizing that thoughtful security policy is distinct and irreplaceable. Data security requirements are often paired with privacy and breach notification legislation, both in states and at the federal level. However, it is also not uncommon for security to be absent or to receive less focus than breach notification or privacy requirements.
Too often, it seems breach notification regulations are relied on as a substitute for data security: since complying with breach notification requirements is expensive and difficult, organizations will be inspired to implement strong security safeguards to prevent breaches. (Consumer transparency also has more political support than a data security requirement.) Yet this calculus is too roundabout and only works to an extent, as demonstrated by the steady onward march of data breaches in spite of state breach notification laws and class action lawsuits. Notification requirements and common law causes of action (like negligence) only apply after a breach has occurred. Data security safeguards are critical to preventing breaches before they occur by addressing the root cause of many breaches – inadequate security.
Security is also widely accepted as a key component of a privacy protection framework. While privacy is not achieved through security alone, data security is critical to protect against risks to collected data that arise from unauthorized system behavior – such as malicious hacking and accidental data exposure. Privacy without security is entrusting your valuables to an unlocked vault.
Preserving flexibility with a risk management approach
A national data security requirement should remain effective over time for a variety of organizations without undue burden. One approach to achieving this flexibility is to require "reasonable" technical, physical, and administrative safeguards that are appropriate to the nature of the organization and the sensitivity of information it maintains. The reasonable safeguards should be aimed at controlling risks the organization identifies through a risk assessment, but legislation should not be over-prescriptive in what components must be in a security plan.
A benefit of this risk management approach is that not all data would need to receive the same level of protection, and the same expectation is not necessarily held for a small business as for a large global enterprise. Organizations can apply strict safeguards to especially sensitive data, and more basic safeguards to less sensitive data, as proportionate to the risks – but some protection would be in place for all data covered by the law.
Protecting against more than economic harms
There is a fierce point of contention over whether to limit any data security requirements to protection against economic or financial harm. This flashpoint usually manifests in two ways: 1) requiring security safeguards to only protect against economic or physical harm, and 2) restricting the scope of information covered by the law to information that can directly cause economic harm, such as protecting username/password for financial accounts but not credentials for other online accounts.
Rapid7 believes data security protections should not be limited to those that directly relate to economic or physical harm. The limitation would not align with user expectations or the wide array of threats organizations face today. Nonfinancial credentials are significant targets, can safeguard information sensitive to the user, and are often re-used across both nonfinancial and financial accounts. Modernized cybersecurity standards should reflect that credentials for online accounts need some level of reasonable protection against unauthorized access, even if the credentials are not required to complete purchases.
Limiting safeguards to economic harm would also be a step back from existing protections in many states. Numerous states require the private sector to safeguard personal information without limiting these safeguards to protection against risks of economic harm (see AL, AK, CA, CT, FL, IN, KS, MA, MN, NM, NV, OR, RI, TX, UT). Several other states require the private sector to protect credentials for online accounts, without limiting protection to credentials necessary for purchases (see AL, CA, FL, MD, MN, NV).
Cybersecurity is a major national priority and any broad, preemptive data security regulation should not significantly undermine current standards. However, the flexible approach we support – outlined above – may apply more stringent security for information that can directly lead to economic harm, and less for other types of personal information.
A note on names
Many state laws and federal legislative proposals define personal or covered information as always requiring an individual's actual name – first and last name or first initial and last name. Under these definitions, no data security requirement would apply to usernames/passwords, ID numbers, personal media, biometrics or medical information (not covered by HIPAA/HITECH), etc., unless the user's actual name were also included. (CA, FL, MD, and MN appear to be exceptions here.)
We believe this name requirement is anachronistic and should be dropped or greatly limited. A breached username/password, biometric authenticator, or even a photo – with the growing sophistication and availability of facial recognition and search – can easily yield a user's actual name. Moreover, the pool of breached data has mushroomed over the years. Frequent redistribution and aggregation of breached data has made it easier to combine data elements from multiple breaches and open sources, providing another means for matching a user's actual name to other data.
Encouraging crypto - and key security
Many state laws and federal legislative proposals rightfully encourage encryption or hashing of user information by exempting unreadable and unusable information from data breach notification laws. This has become pretty standard. However, this exemption should not apply if the encryption keys are also breached, since the keys can render the information readable and usable once more. (AL and MA call this out in their laws.)
Keep the track record in mind, but don’t be paralyzed by it
Privacy and security legislation is introduced in Congress every few months, and there is a concerted push for federal privacy or data security legislation every couple of years. Will it be different this time? Will this effort be successful?
Don't count on it. The landscape is littered with well-intentioned and unsuccessful efforts. Congress has considered broad data privacy and security legislation for more than a decade, often with greater or lesser fervor depending on the recency of high profile events. For example, the Personal Data Privacy and Security Act was introduced in 2005, and the bill was revived in 2007, 2009, 2011, and 2014. The Obama Administration's 2012 Privacy Bill of Rights and the Kerry/McCain 2011 Commercial Privacy Bill of Rights generated much discussion, but ultimately floundered. Lots of data privacy and security bills have a similar history. After many big breaches and thoughtful rhetoric about the balance between security and innovation, little has changed at the federal level, and a lot of policy and industry figures are understandably dismissive about any prospects in the near term.
So it is with caution that we approach the subject of federal baseline data security legislation. But let us be neither naive nor cynical. It is prudent to think through positions on security regulation even if imminent action is not guaranteed. The same concerns that drove policymakers to consider data security proposals circa 2005 are still firmly with us, state legislatures are not waiting on Congress to act, and many people jaded by federal inertia on data security regulation also privately whisper "It is inevitable."