For more than a decade, Congress has tried to address the rampant occurrences of data breaches. Since the ChoicePoint breach in 2005, the House and Senate have introduced roughly 50 different pieces of legislation related to data security. None of them have been enacted into law. The reasons for this are many, but the biggest reason is that there are so many different types of companies that would fall under these bills’ provisions that legislators have been unable to craft a solution that fits all of them.
In 2016, roughly 15.4 million American consumers had their identities stolen, and fraud and identity theft cost Americans about $16 billion. Last year’s Equifax breach exposed another 145 million consumers to data theft, most of whom are Americans. While not all the victims of the Equifax breach will fall victim to identity theft or fraud, the work to prevent fraud can be costly and taxing on our economy.
The aftermath of the Equifax breach saw renewed calls for federal data breach legislation, but many who watch this policy debate closely were left feeling the same déjà vu all over again. That’s because similar outrage and calls for congressional action followed the Target breach in 2013, and the Home Depot, Michaels, and Sony breaches in 2014. Between the Target and Home Depot breaches alone, nearly 100 million credit card numbers were taken, impacting the lives, finances, and data security of countless Americans across the country.
Congress rightfully sought to create better incentives for American companies to secure their networks and their data, but agreement on a legislative solution remains elusive.
In general, the bills that have been proposed have two components: 1) a single, federal requirement to secure sensitive information, and 2) a requirement that companies that have suffered a breach notify all affected consumers. These components are vital because current law in this area is a mish-mash of unaligned state and federal requirements. The Federal Trade Commission (FTC) enforces a statute prohibiting “unfair or deceptive acts or practices in or affecting commerce.” This general statute applies to information held by all entities, except for those that are more closely regulated because of the inherent sensitivity of the data they hold and its specific attributes—such as healthcare companies and financial institutions. Most, but certainly not all, of our member companies fall under the general FTC regime and are not categorized as healthcare or financial institutions.
The FTC has expended a great deal of effort to interpret its general prohibition on unfair or deceptive acts or practices in a way that requires companies to implement data security programs that are reasonable considering the size and complexity of the enterprise, sensitivity of the data being processed, and the cost of measures to mitigate security issues. This is a wise and flexible approach, but data breaches continue to plague our economy and put consumer data at risk. Meanwhile, no specific federal regime requires companies to inform consumers after a breach, even though there are 48 different sets of notification requirements in state and territory law.
But, like most congressional efforts, the outcome will affect serious and powerful stakeholders who must fight for their industries. Major political and economic rivalries—not to mention legitimately divergent interests—make it extremely difficult to agree on a federal bill in this area. As banks and retailers import their longstanding quarrel over interchange (credit card “swipe”) fees into the data security debate, the conflict has opened another front between retailers and third-party data processors.
With high-profile data breaches at Target, Home Depot, Michaels, and other stores, the retail industry is understandably defensive after having their ranks repeatedly raked over the coals by the media. The industry has since turned its attention to cloud providers and companies like our members that process data on behalf of other firms. Specifically, retailers have asked legislators to impose separate notification requirements on third-party data processors if the company with the direct customer relationship (i.e., a retailer) experiences a breach. Retailers have argued that cloud companies are large and have a bargaining advantage over small retailers—and could potentially impose unfair notification requirements, even if the cloud provider were at fault.
This rationale doesn’t reflect reality, however. Many small tech companies like App Association members fall into the category of third-party providers or data processors. For example, DiamondIT in Bakersfield, California, has about 20 employees and provides cloud services. Similarly, GroundSpeed of Toledo, Ohio, is a custom software developer and consultancy that handles some data on behalf of its clients – companies that maintain direct relationships with their customers. These small software companies do not possess a bargaining advantage over their clients. In fact, these companies are often contractually or legally barred from collecting their clients’ customers’ contact information – information that is necessary to provide a notification in the event of a breach. Moreover, most breach victims would be confused if they received a notice from a third-party company like GroundSpeed because their relationship is with GroundSpeed’s client, not GroundSpeed.
ACT | The App Association has educated members of the House Committee on Energy and Commerce—which has primary jurisdiction over this issue—on the unintended consequences of breach notification requirements. This policy could have a devastating impact on our members and a variety of well-intentioned small businesses that are not at fault and do not have direct relationships with the victims of data breaches. We believe our members would benefit from data security and breach notification legislation that imposes a strong but flexible data security requirement along with breach notification mandates that reflect the flexible approach of state laws. However, a requirement for third parties to notify breach victims would likely make our members worse off despite better parts of the bill. We urge Congress pursue a simple approach that puts consumers first.