Why the 114th Congress Will Not Be Business as Usual for Data and Cybersecurity Legislation
Despite a slew of massive data breaches involving well-known companies like Target and Home Depot that affected hundreds of millions of Americans in recent years, past Congresses failed to overcome the Washington logjam and enact significant legislative responses to these high-profile incidents. Previous legislative efforts to strengthen information sharing for cybersecurity threats and to enhance consumer welfare following a breach of customer data have languished notwthstanding much fanfare and initial support from lawmakers. All that may change, however, during the 114th Congress. The fallout from cyberattacks against Sony and health insurer Anthem Inc. is just one of the many reasons why the momentum for new data and cybersecurity law is growing. Furthermore, a change in party control of the U.S. Senate, renewed interest and urgency from the White House, as well as aggressive enforcement activities by regulatory agencies all signal that the 114th Congress will not be business as usual for data and cybersecurity legislation.
New Congressional Leadership Brightens Prospects for New Data and Cybersecurity Legislation
The November 2014 election resulted in Democrats losing the Senate majority and thereby returning control of both chambers of Congress to the GOP for the first time in eight years. The change in Senate leadership could increase the chances of Congress passing new data or cybersecurity legislation, as single-party control of the House and Senate agenda is more likely to encourage bicameral collaboration and coordination and helps streamline the legislative process. In fact, both the House and Senate Subcommittees with the appropriate jurisdiction made data security and breach notification legislation the subjects of their first hearings in the new Congress.
Meanwhile, faced with minority status in both chambers, Democrats may decide to align themselves more closely with the Obama Administration and act as the White House's proxy in Congressional negotiations with the majority. A stand-alone legislation with a good chance of being signed into law will likely require substantial support from both sides of the aisle, which means Congressional Democrats can still play a significant role in shaping the legislative debate if they choose to work with the Administration and advance a set of shared goals.
The new Senate Commerce Committee Chairman John Thune (R-SD) is no stranger to data and cybersecurity issues. He sponsored, with then Chairman John D. Rockefeller (D-WV), a legislation to improve coordination of cyber research and development across federal agencies that became law in the final weeks of the 113th Congress. He also supported floor consideration of the bipartisan cybersecurity information sharing bill authored last Congress by Senators Diane Feinstein (D-CA) and Saxby Chambliss (R-GA), which failed to advance beyond a full committee markup. In a January speech outlining his agenda for the 114th Congress, Chairman Thune stated that he is confident that the new Senate Republican leadership will not shy away from a floor vote on a cybersecurity information sharing bill.
Similar to the Chairman, the new Ranking Member for the Senate Commerce Committee, Senator Bill Nelson (D-FL), has had significant experiences with data and cybersecurity policies. He has already made data security and breach notification one of his top legislative issues for the new Congress by reintroducing the Data Security and Breach Notification Act, which he co-authored last Congress.
In the House, Chairman Michael Burgess (R-TX) of the Subcommittee on Commerce, Manufacturing, and Trade made clear at a recent hearing on data breach legislation that the House Energy and Commerce Committee intends to take up such a bill later this year in a targeted, expeditious manner. Subcommittee Democrats have responded by cautiously stating that strong state data breach notification requirements should not be superseded by a weak federal framework.
Renewed Push from the Obama White House for New Data Security and Privacy Law is Injecting Fresh Momentum on the Hill
President Obama's 2015 State of the Union address highlighted the importance of addressing threats to cybersecurity. On January 13, the President sent legislative proposals to Congress seeking to (1) enhance cyber threat information sharing between the private sector and the Federal government, as well as among private sector entities, (2) create a national data breach notification standard with strong preemption of state laws, and (3) clarify law enforcement's ability to investigate and prosecute cybercrimes.
While a number of significant issues still need to be resolved, Republican leaders from both chambers have generally welcomed the President's renewed engagement on this topic and saw it as a way to help speed passage of legislation this year. For some Democrat lawmakers, the President's revised proposals could also help provide the necessary political cover to vote for the legislation, given the intense pressure and likely opposition certain privacy and civil liberty advocates are expected to generate.
The President's intent to expand data and cybersecurity is further demonstrated by the Administration's parallel effort to create a comprehensive legal and regulatory regime on consumer privacy, including the Administration's 90-day review of the collection and use of big data led by the Big Data and Privacy Working Group. In the coming months, the White House is expected to unveil a revised legislative proposal creating a sweeping Consumer Privacy Bill of Rights. While such a comprehensive legislation faces an uphill battle in Congress, it could help ensure ongoing Congressional focus on data and cybersecurity policies and create opportunities for more modest measures to advance. Indeed, earlier this month Congressmen Luke Messer (R-ID) and Jared Polis (D-CO) announced that they plan to introduce student data privacy legislation-first called for by President Obama in January-that targets the sales of student data for advertising and other purposes. The legislation was one of the focuses of a House Education and Workforce hearing on February 12, 2015 examining potential updates to the Family Educational Rights and Privacy Act.
Enforcement Action by Federal Agencies may Generate Additional Oversight by Congress
The lack of clear statutory mandate through new data security legislation has not deterred regulatory bodies from tackling this issue. However, while the Federal Trade Commission (FTC) has settled more than 20 cases based on the allegation that a company's failure to reasonably safeguard consumer data was an unfair practice, its authority under Section 5 of the FTC Act is currently being challenged in the courts.
Meanwhile, the Federal Communications Commission (FCC) has aggressively waded into the area of data security. In an unprecedented move, the FCC's Enforcement Bureau adopted an expansive interpretation of the Commission's statutory authority under Title II of the Communications Act to issue a pair of Notice of Apparent Liability for Forfeiture against phone companies in the sum of $10 million last October, alleging failures to adequately protect customers' non-call related personal information such as date of birth and Social Security Number. The FCC has never before asserted jurisdiction over data breaches under Section 222 of the Communications Act beyond breaches that involved customer proprietary network information (CPNI), such as call location or destination. Furthermore, the FCC relied on Section 201(b)'s core common carriage prohibition against "unjust and unreasonable" practices to cover a telecommunication carrier's failure to implement certain data security practices-an assertion that has drawn close scrutiny given the current debate over reclassification of broadband Internet access service as a Title II common carrier service.
Such novel interpretation and aggressive expansion of FCC's jurisdiction over data breach matters may have been emboldened by the ongoing stalemate over a new data security law in Congress. Regardless of whether Congress addresses FTC/FCC authorities as a part of the data breach and notification legislation or as a part of the Communications Act update process, it is clear from recent Congressional hearings that lawmakers are paying close attention to issues related to agency jurisdiction over data breach matters, and are looking for ways to provide some clarity.
Foundations Laid by Previous Congresses Helped Pave the Way for New Legislation
While past Congressional efforts foundered, much groundwork has been laid over the past decade on the needs for new data and cybersecurity legislation. As the incidents of cybercrime and data breaches become easier to track and document, so has the ability to quantify the costs of cyberattacks, thereby encouraging Congressional action.
In addition, attempts by prior Congresses have generated volumes of Congressional record and dozens of legislative proposals through various hearings, markups, and working groups. For example, during the 111th Congress the House passed, but the Senate failed to take up, the bipartisan Data Accountability and Trust Act. Meanwhile, the 112th Congress saw similar efforts to bring breach notification legislation to the Committee level. The 113th Congress not only saw major debates in the House and the Senate on cybersecurity information sharing legislation, but also witnessed the enactment of five cybersecurity bills largely focused on federal agencies. These prior attempts have created a solid foundation for Congressional action this year.
For the 114th Congress, a new and motivated Congressional majority and a reengaged Democratic White House, with the support of private industries and the American public clamoring for action, might just be the right ingredients to break the Washington gridlock.