Federal cybersecurity legislation seeking to establish a national standard for data protection and breach response is quickly working its way through the legislative process. The bipartisan bill, formerly known as the Data Security And Breach Notification Act of 2015 (hereafter “cybersecurity bill”), was introduced into the U.S. Senate on April 16, 2015, by Sen. Tom Carper (D-Delaware) and Sen. Roy Blunt (R-Missouri). According to the bill, it is intended to provide a “clear set of national standards that would help the prevention of and response to data breaches at public and private institutions.” The cybersecurity bill, which has been extensively revised and amended by both parties, has made its way through the House Energy and Commerce Committee and is ready for debate before the full Senate.
The current version of the cybersecurity bill requires a business to inform customers within 30 days if their data might have been stolen during a breach. The 30 day notification period starts when the business has discovered the breach and conducted a good-faith investigation to determine if there is a reasonable risk of identity theft, financial fraud or economic loss or harm. Third-party vendors must notify affected consumers on the same schedule. Also notable, the cybersecurity bill completely preempts all 49 state-level notification and security requirements (many conflicting) and establishes a single national standard for compliance.
Proponents of the cybersecurity bill, such as the American Banking Association, laude the bill as a comprehensive bipartisan effort that “will help facilitate increased cyber intelligence information sharing between the private and public sectors, and strikes the appropriate balance between protecting consumer privacy and allowing information sharing on serious threats to our nation’s critical infrastructures.” However, critics of the cybersecurity bill, including privacy advocates, suggest that the bill is a step backwards because it is weaker than the data security and breach notification standards that the public currently enjoys under stronger state laws (which will be preempted) and existing federal law. The national standard established by the cybersecurity bill – that a business must maintain “reasonable security measures and practices” – has also been criticized as too vague and could lead to being overly intrusive in business and consumer privacy.
We will continue to monitor the progress of the cybersecurity bill and keep you informed as it makes its way through the legislative process.