The Case for a 'Borderless' Breach LawIs Timing Right for Congress to Act?
First and foremost, notice of a breach to affected consumers should be done in a clear and uniform manner, so that individuals aren't being over-notified, says Valdez, senior director of public advocacy at the computer industry group CompTIA.
"We think that the trigger for when a notice has to be provided is uniform, so it eliminates the ambiguity for the businesses as to what their obligations are in terms of providing notice to their consumers," he says in an interview with Information Security Media Group [transcript below].
Requirements around breach notification obligations also should be technology-neutral, Valdez says.
"It doesn't matter what the technology is once a breach has occurred," he says. "One-stop shopping in terms of what the obligations are, as opposed to looking at a patchwork of obligations, would be great."
Further, Valdez says, state attorneys general should be able to enforce national data breach notification laws. "Individual private rights of action can sink a small business, and therefore it should only be the state attorney general and the federal agency that can enforce the requirement to eliminate waste and abuse."
But how close is Congress to acting on national breach notification legislation? "I think that [cybersecurity] is such a buzzword these days that it has gotten the attention of legislators," Valdez says.
"It's a process that once people have heard the discussion long enough, people on [Capitol Hill] are more amenable to a [conversation] as opposed to looking at the issue based on first impression."
In the interview, Valdez:
- Explains why Congress might be primed to act on national data breach notification legislation despite years of inaction;
- Addresses various problems he sees with the current environment of 46 separate state laws;
- Discusses key provisions he feels should be incorporated into a national data breach notification law.
Before joining CompTIA is 2010, Valdez served as vice president of public affairs, policy and communications at Verizon Northwest and as Verizon's chief privacy officer. Earlier in his career, Valdez served as an attorney-adviser at the Commerce Department's National Telecommunications and Information Administration as well as a special assistant to Rep. Maxine Waters, D-Calif.
National Breach Notification Framework
ERIC CHABROW: Let's start off with a simple definition of the words national framework. Does a national framework mean a national data breach notification law enacted by Congress and signed by the president that would supersede state laws?
DAVID VALDEZ: That's exactly right. I couldn't have said it better myself.
Enacting Breach Legislation
CHABROW: Well as you know, it's been kind of tough getting Congress to enact any significant IT security and privacy legislation in the past half-decade, maybe even in the past ten years, including breach notification. How would you go about getting Congress to enact such a law?
VALDEZ: I find that Congress tends to move in inches as opposed to miles, but when there's a momentous shift in the discussion and the dialogue about issues related to cybersecurity, issues related to data security and data breach notification, I think that it's such a buzzword these days that it has gotten the attention of legislators, and I think that there's more and more discussion about the need to create a national framework today than there was three or four years ago. I think that it's a process that once people have heard the discussion long enough, once people have familiarized themselves with the issue, people in the Hill, legislative staff and legislators, are more amenable to a discussion as opposed to looking at an issue based on first impression.
CHABROW: Have you got a sense of what could move this? You're saying there's the awareness of it and some of the problems associated with having 46 separate laws, but is there a specific catalyst that you could point to that could maybe get this moving?
VALDEZ: I think the will of a couple of champions on the Hill, and it's something that we're working to cultivate. I think that with the kind of emergence of new leadership in the Senate, we're hopeful that there will be a seat at the table for the discussion of data breach. For example, I know on the House side the Energy & Commerce Committee has tentatively reached out to stakeholders about having a discussion on data breach. We know this is also an issue that we have teed up in the Senate, and I think that it's a constant drumbeat that eventually gets the issue teed up.
Issues with Existing Breach Laws
CHABROW: Many of our readers are familiar with the problems of trying to comply with breach notification laws and regulations in as many as 46 states. What other problems exist with existing breach notification laws?
VALDEZ: The main problem with state data breach notification laws is that they were developed and designed in a different age and in a different state of the Internet. Let me give you an example. The first state data breach law was enacted in 2003 by the state of California. The vast majority of people, I would say all people that accessed the Internet at that time, did so from a desktop computer that was static, that was stationary and that generally was in the secure confines of someone's home or business.
Today, however, when we look at the concept of data breach in terms of how people access their information, it's a world of difference and it's fundamentally different. Today, people are using mobile devices, they're using smart phones and they're storing their data in the cloud. What that means is that geographic location is largely not relevant when people are commuting, when people are accessing their data, and state lines are not particularly helpful either from the consumer or for the businesses that's trying to comply because data is no longer stationary the way it was in 2003, and people are no longer accessing their data from a stationary point much like they did in 2003. That to me is the fundamental problem with the multiple state data breach laws. They don't really respond to the real world environment of data security and data breach.
Consequences of Existing Laws
CHABROW: What are the consequences of the existing conditions?
VALDEZ: Multiple. One I think for the small to medium size business is it could be devastating to not be aware of an obligation to notify a consumer that's subject to a state law. Let me give you an example. If you're a resident of Massachusetts and you leave the state and conduct business with a company online, and that business let's say is located in New York, or the business and the consumer is transacting business in Washington D.C., under the Massachusetts law a data breach affecting a Massachusetts resident must be provided with notice. Even if a business was trying to do the right thing, if they suffer a breach, by providing notice they have to provide notice under the very specific parameters of each state data breach notification law. They can very easily be out of compliance if they're not aware that they have a Massachusetts resident who suffered a breach who, for example, went online and bought a widget using their iPad while they were sitting in the airport in Washington D.C.
CHABROW: Being out of compliance, doesn't that also create a certain unawareness that could hurt the consumer? In other words, how strong are state enforcements in situations like that and how would that consumer be aware that a breach occurred?
VALDEZ: That's exactly right, and that's the second part or the other side of the coin of the issue. The consumer is no better off and, in fact, is worse off with these multiple state laws because if, for instance, a consumer suffers a breach and the business is not aware of what their compliance obligations are, the consumer may not be able to get the kind of information they otherwise would be able to get under one-stop shopping in a consistent fashion.
For instance, if you're a resident of Florida, you only have to receive notice if the breach in fact resulted in harm to the consumer. Consumers may want to know that a breach occurred, and that's an example where, depending on if they're residents of Florida or residents of Massachusetts, or if they're traveling in one state and they're a resident of another, it's complicated for the consumer to know what their rights and the obligations of the businesses are because it all depends on where they are in transit and what their state-specific requirement is for both the resident and/or where the breach may have occurred.
Primary Components of National Breach Law
CHABROW: Let's assume Congress does enact a national breach notification law. What would you like to see as two or three of its primary components?
VALDEZ: Number one, I think that the notice must be clear and provided in a uniform manner so that you're not over-notifying a consumer if a breach has occurred or not notifying a consumer if you think a breach has occurred, but that there's a kind of uniform notice obligation.
Number two, we think that the trigger for when a notice has to be provided is uniform, so it eliminates the ambiguity for the businesses as to what their obligations are in terms of providing notice to their consumers. We think that as the technology begins to change that there's a requirement that's technology neutral. It doesn't matter what the technology is once a breach has occurred. One-stop shopping in terms of what the obligations are, as opposed to looking at a patch-work of obligations, would be great. We think that state attorneys general should be able to enforce a national data breach, but we think that individual private rights of action can sink a small business, and we think therefore that it should only be the state attorney general and the federal agency that can enforce the requirement to eliminate waste and abuse.
Finally [it's] the reasonable time frame you provide notice once a breach has been discovered.
Dealing with International Incidents
CHABROW: Not to complicate the matter, but businesses, even some small and medium-size businesses, operate internationally. How would this kind of legislation, if enacted, work with having to deal with consumers and other businesses if an incident occurs overseas?
VALDEZ: It depends on where they are. If they're in the EU, then that's a whole other set of obligations that U.S. companies must comply with. I think for a U.S. consumer that suffers a breach outside of the boundaries of the United States, because they're traveling outside of the United States, then that triggers whatever international law is at play. However, the more interesting point - the related point to what you're saying, and I don't really have a good answer to - is what happens when data's stored internationally in the cloud? That raises a host of other issues. If you have a national framework, then it's much easier to apply that national framework to circumstances that may arise. It may not neatly fit, but is connected.