We predicted some months ago that 2015 might be the year that Congress finally passed national data breach notification legislation, given what appeared to be ample bipartisan support. The nearly continuous stream of headlines announcing new data security incidents, including news of the massive data breach at the Office of Personnel Management (OPM), should have kept the issue front and center in the minds of most lawmakers. As it turns out, however, data breach-related legislation has stalled in Congress, and while a handful of states made changes to their breach notification laws, the vast majority failed to advance their data breach-related proposals.
With 2015 halfway over and the majority of state legislatures adjourned, it may be helpful to look back on the first six months of the year and review the status of data breach-related legislation across the country.
Congress: Many Proposals, No New Legislation
Congress has moved at a glacial pace in considering data security legislation this year, even as the fallout over major data breaches, including the OPM breach, turned up the heat on both the public and private sectors to protect sensitive data. At least twelve different data security-related bills have been proposed in the House and Senate, yet the majority are stalled in committee.
The Data Security and Breach Notification Act (H.R. 1770), for instance, is one of the most high-profile data breach notification bills in the 114th Congress and has advanced further than most other bills, having been marked up and amended by the House Energy and Commerce Committee on March 24. Yet no action has been taken on H.R. 1770 since then.
Cyber sharing legislation fared somewhat better, with the Protecting Cyber Networks Act (H.R. 1560) passing the House on April 22. The Senate has not yet taken up H.R. 1560, but Senate Majority Leader Mitch McConnell (R-KY) promised to move forward with the Senate’s companion bill to H.R. 1560 – the Cybersecurity Information Sharing Act of 2015 (CISA) (S. 754) – after a failed attempt to pass CISA in June.
Congress may make a strong push in the latter half of the year to send a national data breach or cyber sharing bill to the President, but our expectations have been substantially reduced.
States: Many Proposals, A Handful of Amendments
Meanwhile, state legislatures continue to add greater complexity to the patchwork of data breach notification standards across the country. At least 32 states introduced data breach notification bills in the first half of 2015, most of which failed to pass new legislation. A handful of states, however, including Nevada, Wyoming, Washington State, North Dakota, Montana, and Oregon, made important revisions to their breach notification statutes. Some amendments expanded the definition of personally identifiable information (PII), increased required content for consumer notification, required the reporting of breaches to attorneys general, and required covered entities to implement security policies.
On June 26, Rhode Island became the most recent state to amend its data breach notification statute. Senate Bill 134 Substitute B, the Rhode Island Identity Theft Protection Act of 2015, substantially revises the old law, including breach notification. The new statute, which becomes effective next year on June 26, requires covered entities to implement “a risk-based information security program” that “contains reasonable security procedures and practices … in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure …” The statute also requires covered entities to implement a written document retention policy and not retain personal information longer than necessary. It also requires written agreements with third party providers ensuring they implement and maintain reasonable security practices. The new statute expands the definition of PII to include medical or health insurance and certain email address information. Finally, it requires consumer notice within 45 days of a breach’s discovery, and if the breach affects more than 500 individuals, notice must be provided to the state Attorney General.
The amendments passed by these seven states will affect the obligations of covered entities in a number of important ways. As each of these states’ respective amendments take effect, covered entities must ensure that their information privacy and security policies, and their data breach response procedures, comport with the new statutory requirements.
The Rest of the Union: Pending or Failed Bills
In Illinois, the classic song “I’m Just a Bill” from Schoolhouse Rock! comes to mind as legislation that would drastically revise the Land of Lincoln’s data breach statute sits on the capitol steps in Springfield, awaiting Illinois Governor Bruce Rauner’s signature or veto. S.B. 1833 cleared the legislature on May 31 and, if enacted, would expand the definition of PII in Illinois to include medical, health insurance, and biometric information, require notice to the state Attorney General within 30 business days of discovery if the breach affects more than 250 residents, and impose new data security and privacy duties on covered entities.
In legislatures elsewhere, data breach legislation struggled to gain traction, even in the remaining states that do not yet have data breach provisions on their books – Alabama, New Mexico, and South Dakota. The bulk of data breach bills proposed in state assemblies at the start of the 2015 legislative session have already died, as the majority of legislatures have already adjourned without tending to the data breach legislation before them. As referenced above, at least 32 states introduced data breach notification bills in the first half of 2015, most of which failed to pass new legislation. Two of the remaining 14 states’ legislatures still in session – Oregon and Illinois – have already passed or enacted data breach legislation, while another five legislatures have related bills pending in one or both houses. It is possible that a few more pending state data breach bills will become law, creating additional changes to the regulatory mosaic. National data breach legislation could also be passed and signed by the President before the 114th Congress adjourns, effectively replacing that mosaic … but we don’t expect drastic changes anytime soon.