Earlier this week, the President announced a new cybersecurity initiative. The White House explained that:
"[t]here is a growing perception that individuals have lost control of their personal information; a negative implication of such a view is it may serve as an inhibitor of the use of technology, stymie innovation, and contribute to a less productive economy."
Of course, the President has no legal authority to implement most of his proposals. The Constitution gives Congress the sole power to introduce and pass legislation. The President's role is simply to sign or veto a bill once Congress approves. However, the President's bully pulpit gives him the practical ability to influence Congress' agenda. The primary purpose of the President's current cybersecurity push is to pressure Congress to enact comprehensive cybersecurity legislation.
North Carolina and 45 other states already have a data breach notification law. This might suggest that there is no need for a nationwide breach notification rule. Are state breach notification rules inadequate? Is there a compelling need for nationwide uniformity? These are important policy questions. In order to evaluate them, it might be helpful to understand how the White House proposal differs from state laws--particularly the data breach notification requirement found in the North Carolina Identity Theft Protection Act. This blog post will compare the White House proposal to North Carolina's existing breach notification requirement.
Entities Covered. The North Carolina breach notice statute applies to any business in North Carolina or that "owns or licenses" information about North Carolina residents. Under the White House proposal, only businesses that hold sensitive personally identifiable information about more than 10,000 individuals would be covered.
The Reporting Requirement of a Security Breach. The White House proposal would require business entities to give notice of a "security breach" involving "sensitive personally identifiable information."
The term "security breach" in the White House proposal would mean a "compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in...unauthorized acquisition... or access...."
The term is defined slightly differently under North Carolina law. Under our Identity Theft Protection Act, a security breach is "[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."
Here's one difference: It would be harder to avoid reporting "low risk" incidents under the White House proposal. There are all sorts of scenarious that might result in unauthorized access, some of which can be relatively innocuous, and probably do not warrant reporting. You can imagine such situations easily. The White House proposal would make it harder to avoid reporting in these situations. Under the North Carolina law, a breach occurs when "illegal" use "has occurred or is reasonably likely to occur" or there is "a material risk of harm to a consumer." Under the White House proposal, there is a breach, and therefore a reporting requirement (at least to the FTC), if there is an "unauthorized acquisition" or "accesss...in excess of authorization." Under the White House proposal, even if the incident presents a low degree of risk, it must be disclosed to the FTC.
Here's another difference: Under the North Carolina statute, if a hard drive is stolen, but it's encrypted, there is no breach. Under the NC statute, that ends the analysis, and there is no reporting requirement. Under the White House proposal, there is a breach, even if the information was encrypted, and the custodian of the information would then have to undertake a risk assessment to determine if there is a "reasonable risk that a security breach has resulted in, or will result in, harm to the individuals." Encryption might support a presumption that there is no reasonable risk of harm. However, under the White House proposal, the business would be required to self-report to the Federal Trade Commission within 30 days:
(i) that it had experienced a breach and conducted a risk assessment,
(ii) the results of the risk assessment,
(iii) that it had concluded that there was no reasonable risk to individuals; and
(iv) logging data (i.e., records of access and changes to a database) for the six months prior and database users' and administrators' log-in information.
Definition of Personal Information. The term "sensitive personally identifiable information" is defined in the White House proposal similarly to the term "personal information" in the North Carolina statute, except that the White House proposal is slightly more broad and would also allow the Federal Trade Commission to create other categories of "sensitive personally identifiable information" by rule. In this way, the White House proposal might be more easily adjusted to changes in technology.
Timing of Notice. The days immediately following discovery of a security breach are difficult for a business, as well as being important to law enforcement. The first priority is almost always to identify and eliminate vulnerabilities. Businesses are reluctant to make public statements before they have obtained and analyzed the facts. Each of these steps may require outside help from forensic computer experts and security experts. It takes time. One of the ways in which the White House proposal differs from the North Carolina statute is the timing of reporting obligations. Under the both the North Carolina statute and the White House proposal, the breached business must notify affected customers "without unreasonable delay." However, under the White House proposal, that means no later than 30 days unless the FTC grants an extension.
Public Notice. In addition to notifying affected individuals, state statutes often require a public announcement, of some sort, of the breach. Under the North Carolina statute, the business must notify statewide media of the breach (and place a notice on its website) only if it chooses not to contact affected individuals directly because the cost of providing notice would exceed $250,000 or the number of affected individuals exceeds 500,000. Under the White House proposal, if more than 5,000 residents of any particular state are affected, the breached business must notify statewide "major media outlets" of the breach.
Under the White House proposal, if more than 5,000 individuals are affected by a breach, the business must notify the credit reporting agencies. Under the North Carolina statute, the threshold for making such a report is 1,000.
Allocation of Responsibility to Provide Notice. Under the North Carolina statute, the reporting obligation falls on the business that "owns or licenses" the personal information. A third party custodian who does not own or license the information must merely notify the owner or licensee of the information (not the affected individuals) in the event of a breach. The North Carolina statute does not address whether the owner/licensor can agree with the custodian that, in the event of a breach, the custodian would be responsible to provide notice to customers.
The White House proposal expressly allows owners/licensees and custodians to enter into a contract that allocates the responsibility to notify affected individuals of a breach; however, the notice must include reference to the party who has a direct business relationship with the affected individuals (i.e., the owner/licensee).
Summary. As you can see, the White House proposal differs from existing North Carolina law in a number of ways. From the perspective of a business that has consumer data, the White House proposal generally seems more burdensome; however, for businesses operating in multiple states, the additional obligations of the White House proposal might be outweighed by the benefits of having a uniform law across jurisdictions. (Responding to a multi-state breach is very challenging because of the variation in state breach response laws.)
Whether Congress will take up the proposal in earnest, and whether legislation resembling the White House proposal will pass both houses, is anyone's guess, but one thing is clear at this point--the President has initiated a public dialogue on these issues.