When a company like Target or Snapchat gets hacked, it puts huge stores of personally identifiable data — like credit card numbers, phone numbers and mailing addresses — at risk. Companies are understandably shy about admitting that they've been hacked, though smart ones understand it's better to get out ahead of the story rather than be consumed by it.
Should public and private organizations be required to tell customers when their data has been leaked? Washington increasingly thinks so.
On Friday, a bipartisan coalition in the House approved a measure that would require the government to notify consumers in the event of a data breach involving HealthCare.gov. Within two days of such an attack, the Department of Health and Human Services would have to contact every American connected to the system to inform them of the breach. Administration officials, meanwhile, have stressed that to date, there have been no successful intrusions against the Obamacare site.
Other lawmakers are pushing for a single, national standard governing data breaches. The chairman of the Senate Judiciary Committee, Sen. Patrick Leahy (D-Vt.), unveiled a bill this week that would force businesses to disclose data breaches within two months of their discovery, as well as make it a crime to cover up an unauthorized release of consumer information.
In a statement, Sen. Ed Markey (D-Mass.) vowed Friday to press ahead on privacy.
"When a number equal to nearly one-fourth of America’s population is affected by a data breach, it is a serious concern that must be addressed," Markey said.
The recent spate of attacks highlights the growing need for a consistent approach to data breaches. Although Target moved swiftly to address its hack by apologizing and offering consumers a year of free credit monitoring, the case involving Snapchat saw just the opposite response. The Los Angeles-based startup, whose app lets users take and share self-destructing photos and videos with each other, ignored a security vulnerability for months. When Snapchat finally got hacked over the Christmas holiday, Snapchat waited days to speak publicly about it. It finally issued a lukewarm apology on its blog two weeks after the fact.
Data breach proposals have been slow to gain traction at the federal level. A patchwork of state-level regulations currently dominates, beginning with a California statute that came into force in 2002. The 12-year-old law currently serves as the basis for data breach laws in most other jurisdictions. Meanwhile, few groups actively pursue the issue in Washington.
The Electronic Privacy Information Center is one exception. According to Marc Rotenberg, its executive director, a congressional update of data breach laws is overdue — but lawmakers could unintentionally weaken stronger state statutes that are already on the books if a federal standard is written to preempt those laws.
"Sen. Leahy’s bill is a good starting point, though the preemption provision is a problem as it will remove stronger state consumer laws," Rotenberg said. "That provision should be changed."
Another question is whether existing definitions of personal information ought to be revised. Though federal law considers Social Security numbers, credit card data and birthdays a protected form of personally identifiable data, other types of information are not.
"It's more or less information that's likely to result in primarily financial losses," said Paul Stephens, director of policy at the California-based Privacy Rights Clearinghouse.
Examples of information that isn't generally covered under the law include phone numbers and mailing addresses — just the kind of data that Target admitted Friday it lost to its hackers.