Is a national data breach law in the works?

A recent New York Times piece, titled “House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches,” confirms that federal lawmakers are, slowly but surely, taking data breach and cybersecurity issues more and more seriously each day. The article begins like this:

Responding to a series of computer security breaches in government and the private sector, the House passed an expansive measure Wednesday that would push companies to share access to their computer networks and records with federal investigators.

The bill, which came after years of false starts and bitter disappointment for the Obama administration, is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring. The House measure, already largely embraced by the White House, passed, 307 to 116.

As for the details of the bill, the article includes the following information:

The House bill would provide legal liability protections for companies that share cyberthreat information with each other or with the government. But negotiators also added what they see as critical privacy protections.

If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information — once by the company before it gives the data to the government and another round by the government agency that receives the data, which many experts believe is critical in getting companies to comply.

If this bill becomes law (and to do so, it has a long way to go), it will be interesting to watch how it interacts with, or perhaps preempts, the current legal patchwork of data and cybersecurity law, which we’ve previously discussed. Also, if the new law confers a private right of action, it could be a vehicle for more class litigation.

Data Privacy and Cyber Security, Legislation Affecting Class Litigation