September 26, 2017
The Equifax breach exposed millions of U.S. adults’ personal information, prompted Federal Trade Commission and FBI investigations, and spurred lawsuits by many states’ attorneys general. With the threat of even worse breaches in the future, companies will be urged to adopt better cybersecurity practices. But the Equifax breach is likely to have another result that tech companies won’t like: the need for transparency. Although 48 states have already passed data-breach disclosure laws, now federal regulations are proposed.
The Wall Street Journal notes that, “the patchwork of data-breach disclosure laws” of those 48 states have failed to “get companies — wary of increased costs and hits to their reputations — in line.” Among those supporting federal regulations is Rep. Jim Langevin (D-RI), who, along with co-sponsors Rep. Ted Lieu (D-CA) and Rep. Carol Shea-Porter (D-NH), all members of the bipartisan Congressional Cybersecurity Caucus, “reintroduced the Personal Data Notification and Protection Act, first proposed by President Obama in 2015.”
The proposed legislation would force companies to disclose breaches within 30 days (not the six weeks that Equifax took) to the FTC and Department of Homeland Security, “which would become central clearinghouses for breach information.” Companies out of compliance could face fines up to $1 million per violation, and “be liable for civil penalties in lawsuits from states attorneys general, with no limit on the damages that could be recovered if the company is found to have acted willfully or intentionally.”
Those in favor of regulation point to the European Union’s General Data Protection Regulation, “which will force companies that do business in the EU and the United Kingdom to promptly disclose when personal data is breached.”
Andrea O’Sullivan, program manager at George Mason University’s Mercatus Center, is one opposed to regulation, echoing others who say that, if passed, legislation “would prioritize compliance … rather than actually dealing with the fast-moving problem of cybersecurity.” Other concerns are that reporting every breach could cause “data breach fatigue.”
Elsewhere, WSJ reports that the Department of Homeland Security “gave election officials in nearly two dozen states additional information on Russian targeting of their election systems last year,” and said it was “up to the states to disclose to the public whether they were targets of the Russian-backed campaign.”
Up until this most recent disclosure, “election officials in nearly a dozen states [were] unaware of whether their state systems were targeted.” DHS also “agreed to make sure that the top state election officials were notified about breaches in the future,” said National Association of Secretaries of State director of communication Stephen Reed.