Is a national data breach law in the works?

A recent New York Times piece, titled “House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches,” confirms that federal lawmakers are, slowly but surely, taking data breach and cybersecurity issues more and more seriously each day. The article begins like this:

Responding to a series of computer security breaches in government and the private sector, the House passed an expansive measure Wednesday that would push companies to share access to their computer networks and records with federal investigators.

The bill, which came after years of false starts and bitter disappointment for the Obama administration, is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring. The House measure, already largely embraced by the White House, passed, 307 to 116.

As for the details of the bill, the article includes the following information:

The House bill would provide legal liability protections for companies that share cyberthreat information with each other or with the government. But negotiators also added what they see as critical privacy protections.

If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information — once by the company before it gives the data to the government and another round by the government agency that receives the data, which many experts believe is critical in getting companies to comply.

If this bill becomes law (and to do so, it has a long way to go), it will be interesting to watch how it interacts with, or perhaps preempts, the current legal patchwork of data and cybersecurity law, which we’ve previously discussed. Also, if the new law confers a private right of action, it could be a vehicle for more class litigation.

Data Privacy and Cyber Security, Legislation Affecting Class Litigation

Legislative bodies continue to eye data breach bills

Since the Anthem breach, more and more legislative bodies have begun to take a closer look at the issues of data breach notification and data security in general, as several recent stories illustrate.

“House Focuses on Data Breach Bills” from the National Law Review states:

The issues of data breach notification and data security issued received a fair amount of attention in the House this week: On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep. Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release of another.

The bill approved on Wednesday — the Data Security and Breach Notification Act — is sponsored by Reps. Michael Burgess (R-TX), Marsha Blackburn (R-TN), and Peter Welsh (D-VT). It would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach. It would also empower the Federal Trade Commission (“FTC”) to enforce the bill’s rules.

In another story from the Albuquerque Journal, the New Mexico State “Senate Panel Blocks New Mexico's Data Breach Bill.” The bill “would have required retailers to notify customers when they were at significant risk of identity theft or fraud due to computer data breaches died in the final days of the Legislature’s annual session.” According to the sponsor of the bill, “The comments appeared to be it was too industry-friendly for the attorneys on the committee.”

Data Privacy and Cyber Security, Legislation Affecting Class Litigation

Proposed changes to computer fraud law: Companies can collect against perpetrators

Cybersecurity issues can be daunting for many businesses. Just last week, Target Corporation agreed to pay $10 million to settle the class action lawsuit that arose from its highly publicized 2013 data breach.

But the Obama administration has proposed changes to the Computer Fraud and Abuse Act that allow companies victimized by violations of the act to file civil lawsuits against perpetrators. Last month, the National Law Journal called the proposed changes “significant” for private companies. For more information, see cyberlaw expert Orin Kerr’s analysis of the proposed changes here, from the Washington Post.

Data Privacy and Cyber Security, Legislation Affecting Class Litigation