By Stuart M. Gerson, a Member of Epstein Becker & Green, P.C. and previously served as Acting Attorney General and Assistant Attorney General at the Department of Justice. Mr. Gerson is a member of Washington Legal Foundation’s Legal Policy Advisory Board and serves as a Director of The National Council of Registered ISAOs (NCRI), a member-driven organization that functions as a forum for sharing cybersecurity threat information and best practices.
Regulatory Background and the Need for Change
Significant data breaches at every level of national life have pushed the privacy and security of personally-identifiable information (PII), to the forefront of state and federal policymakers’ agendas. In the interests of efficiency and effectiveness, the American business community has argued for several years for a uniform national breach-notification statute that is preemptive of State law. While there have been several congressional initiatives along this line, none have produced a politically-viable solution. However, legislative interest has intensified of late for a federal law that encompasses data-breach notification and other aspects of privacy and security. Large and small businesses support a national approach due in part to the risks posed by contradictory and discriminatorily enforced state rules that undergo constant changes and arbitrary administrative implementation.
Despite American businesses’ commitment to security compliance and training efforts, cybercrime and the losses it engenders continue to grow substantially. Moreover, the cyber landscape itself has changed, magnifying the effects of data-breach incidents at both the personal and national-security levels. Both domestic and foreign criminal activity, often sponsored or even conducted directly by, hostile nation states, has run rampant. Individuals, businesses, and government are caught up in a global cyber conflict that cannot be won with the current legal framework of fragmented and contradictory laws, inefficient and often pointless private litigation, inconsistent federal oversight and enforcement, and insufficient public-private trust. We can do better.
Federal preemption and a greater level of privacy and security for personal and enterprise data are not mutually exclusive. Indeed, this paper’s fundamental thesis is that enhancing security and coordination of effort and enforcement at the national level will help preserve individuals’ and businesses’ privacy.
A Confused and Misdirected Cybersecurity and Privacy Landscape
The United States currently has no national, unifying data-security or privacy law. There are industry-specific federal laws like The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat. 1936, enacted August 21, 1996), which governs entities that hold or manage individuals’ healthcare-related identifiable information. But HIPAA and other federal privacy laws present certain regulatory and compliance difficulties and don’t preempt state laws occupying the same field.
Currently all 50 States and each U.S. Territory have data-security and breach notification statutes, but they vary widely and often are contradictory. A company doing interstate business and handling PII faces:
- Differing and confusing definitions of covered entities;
- Varying requirements for third parties that maintain PII;
- Disparate definitions of what constitutes a reportable breach;
- Widely varying procedures regarding notices and timing in the case of a breach;
- Inconsistent availability and extent of exemptions and safe harbors, e.g., for encryption, good-faith receipt of protected information, credit for compliance with regulatory protocols, etc.;
- Varying methods of enforcement, e.g., attorneys general, regulatory bodies, private rights of action;
- Irrationally differing penalties and required remedies; and
- Uncertain rights and remedies for injured persons and litigants.
The Status Quo Is Not Working Well
Despite a commitment to cyber compliance by businesses of all sizes, and their determined education of individuals about password protection, security of mobile devices, phishing, and other social engineering, reportable cyber incidents grew an astounding 1,300% between 2006 and 2015. With massive ransomware attacks, zero-day exploits and nation-state-sponsored onslaughts, the number of incidents continues to grow.
The information networks that house PII are inherently at risk. They are highly complex and dynamic, technologically diverse, and often geographically dispersed. This complexity complicates the protection of the operating systems, applications, and devices that comprise a computer network. And despite best efforts and regular maintenance, those systems are plagued with security vulnerabilities. Indeed, the Mitre Corporation’s national vulnerability database identified 78,907 publicly known cybersecurity vulnerabilities two years ago. Despite curing many, the addition of new systems has likely swelled the vulnerability list to over 100,000.
What about the cost of data breaches? One may think that enhanced compliance not only should reduce the number of breaches (it clearly hasn’t), but that related efficiencies should lower the costs associated with those breaches (sadly, not so either). The most recent annual “Cost of a Data Breach” study—the industry’s gold-standard benchmark research, independently conducted by Ponemon Institute—reports the global average cost of a breach is up 6.4% over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% year over year to $148. This study focuses on larger businesses and, according to the Rand Corporation, the cost of cyber-incidents for smaller businesses is in the hundreds of thousands of dollars.
Does the Current Sanctions and Litigation-Judgment Modality Work?
State regulators and attorneys general, federal enforcement agencies, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Health & Human Services Office of Civil Rights (which oversees HIPAA compliance), and many legislators measure success by the fines, settlements, and the rare trial-based judgments obtained from organizations. As the size of these recoveries has steadily increased, the number of breach incidents also has continued to rise. Both bureaucrats and politicians are wont to state that in order to gain even greater protection for the privacy of individual information, fines and penalties should be increased and expanded. There is a surface logic to this position, and fines and monetary recoveries are appropriate in some situations, especially in cases of actionable negligence. However, the facts of cyber security life demonstrate that an alternative structure must be found to the punitive-sanctions model.
What about private litigation? Can class actions and private attorney general suits act as an effective deterrent to data breaches? Though the number of such cases is rising, the increasing number of cyber-attacks and breach cases suggests that litigation is, at best, only part of the answer.
Private data-breach litigation cannot provide a reliable, sustainable means of addressing privacy and security concerns. In order for plaintiffs to bring data-breach claims in state or federal court, they must establish standing to sue, for which there is currently no consistent national standard. Consider, for instance, the State of Illinois’ unique Biometric Information Privacy Act, which the State’s highest court has determined allows private rights of action without respect to injury in fact. Rosenbach v. Six Flags Entertainment Corp., No. 123186, (Ill. Jan. 25, 2019). On the contrary, plaintiffs filing data-breach-related suits in federal court, under the rationale of the U.S. Supreme Court’s decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016), must be able to show an actual or inevitable personal harm.
In situations where plaintiffs need to show not only a statutory violation, but also that they suffered an injury in fact, very few will be able to establish standing to sue. Why is this? Most breaches have at least some economic motivation, and the phenomenon of “identity theft” is real to some degree. Shouldn’t that produce plaintiffs who can show actual injury, not just alleged apprehension over potential identity theft that rarely occurs?
This is not the case for several reasons. First, breaches have become so frequent and so massive that individuals can’t assign loss to a given breach. Also, widespread credit monitoring and insurance appears effective, eliminating or mitigating harm. Finally, while a breach of one’s privacy is unpleasant and inexcusable, individuals are not the primary economic victims. Data thieves are rational actors and often find it better to seek large dollar hauls rather than small ones from individuals. Thus, stolen PII often is aggregated in scams to file for fraudulent tax refunds or to bill government-sponsored health and welfare programs. Stolen PII also can provide leads for criminals to infiltrate networks and conduct phishing exploits including ransomware installations.
At the federal level, data-breach plaintiffs’ attempts to establish injury in fact have produced profound disorder in the courts. The Supreme Court in Spokeo reiterated the criteria for Article III standing enunciated in Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992). To have a justiciable case or controversy under Article III, a plaintiff must have, among other things, suffered an injury in fact. The inconsistent application of this standard in federal breach and other litigation has left an unresolved split among the circuit courts of appeals. The Fourth, Fifth, Seventh, Eighth, and Eleventh Circuits have a strict view of Article III, requiring actual or impending harm. The Second and Third Circuits only require a showing of risk to someone, not necessarily a named class plaintiff. And the Third, Sixth, Seventh, Ninth, Eleventh, and D.C. Circuits require little more than a showing of data theft and the apprehension of later loss.
Some plaintiffs, of course, can establish standing to sue. Banks and credit card companies, for example, that must deal with securing accounts of business and individual customers whose PII has been stolen can demonstrate injury in fact, as can individuals in some courts. However, on the whole, the litigation regime has not been an effective deterrent and its inconsistent application doesn’t well serve the interests of individual plaintiffs or business defendants. The Supreme Court has declined to resolve the circuit split and the law on the subject is inconsistently applied in both federal and state courts.
America Not Only Has a Data-Security Problem, it Has a National-Security Problem
America’s current decentralized and inconsistent legal framework for data-privacy and security severely weakens defensive prevention of and responses to sophisticated attacks aimed not only at personal data, but entire business and government data networks. The theft of PII and the hacking of individual computers can serve as a gateway to broader public injury. Corporate and governmental intellectual property, election facilities, transportation and public utilities including the national electric grid and regional water supplies, as well as the so-called Internet of Things, which includes items ranging from home appliances to medical devices, are all vulnerable to hackers. With those facts in mind, policymakers must think about who is perpetrating data breaches. Often, especially in the largest cases, it is nation-state-sponsored hackers or adversary countries themselves.
The largest hacks and exploits of the past several years involve foreign interests. The American public has read with interest and alarm about the hacks at companies like Yahoo, Equifax, and Anthem, involving the theft of the PII of billions of individuals, as well as ransomware exploits such as Wanna Cry and Petya. And it isn’t just private companies that are affected by these foreign based efforts. The breaches of the Office of Personnel Management and SEC show that the government’s PII databases also are vulnerable.
The United States has four principal adversaries that pursue systems intrusion and PII theft as part of their national policy. The most troublesome and sophisticated of these is Russia, whose intrusions into our election system and compromise of private email systems has been exposed by U.S. intelligence services. Russia seeks to sow political disorder among its adversaries and to weaken them while attempting to increase its international power. China has a two-fold aim. First, its well-documented theft of intellectual property has enhanced its economy without the need to innovate or expend resources. Second, China has created massive databases of stolen PII and, using “big data” techniques, is employing this information to gain worldwide acceptance and respect. The hack of Marriott, involving the theft 500 million customers’ PII has been attributed to Chinese state hackers and has led to the indictment of a number of individuals. Similar, in absentia, indictments have been returned against Russian criminal actors. Iran and North Korea, both less successful and sophisticated, but still quite capable, round out the list of the country’s leading cyber adversaries and thieves of PII
There is a Need for Public/Private Partnership, Cooperation and Trust
A national data-security and privacy law that preempts state regulation not only would standardize enforcement but also could serve to enhance and expand public/private cooperation and information sharing. Cooperation between the sectors is already occurring. Examples include Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs), as well as InfraGard, a non-profit partnership between the Federal Bureau of Investigation and businesses and others in the private sector. Federal laws have enhanced sharing efforts, including, the Cybersecurity Information Sharing Act of 2015 (Pub. L. No. 114-113, div. N., 129 Stat. 2242, 2936- 2956 (2015)) and a part of the Homeland Security Act of 2002, Public Law 107-296, designated as the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002. The Department of Homeland Security recently created the National Risk Management Center, a dedicated hub to help private industry avoid and respond to cyberattacks from around the world.
The private sector’s fear of legal exposure, however, has limited the impact of public/private partnerships. Whatever incentives and protections currently are available for businesses’ open discussion of securities vulnerabilities and data-breach details do not bind the States and various federal enforcement entities. Exposing actual or potential vulnerabilities would spark fears of expensive and damaging enforcement responses. This situation could materially change if a national, preemptive breach and security law were adopted with useful incentives like a safe harbor for compliance with recognized standards.
A Preemptive National Breach Law Will Protect Data Privacy
The increase in data breaches, despite vastly enhanced private and public compliance efforts and administrative fines and sanctions, demonstrates that punitive enforcement, fragmented and inconsistent state and federal legislation, and private litigation have been ineffective tools for data-privacy protection. While compliance is important and sanctions sometimes warranted, the overall enforcement paradigm cannot succeed unless it is clarified by a federal data-security law that expressly preempts state law and regulation.
That is not to say, however, that litigation, fines, and regulatory supervision have no place in a national standard. They do, but incentives and cooperation, which are sorely lacking under the fragmented and unpredictable current system, are also needed. A unified law with a unified approach will benefit businesses, which will be relieved of the costs of dealing with often-contradictory compliance and liability issues on a state-by-state basis. But a preemptive standard will also help individuals better understand their rights and avoid legal disputes, and most of all, to have an increased sense of security about the privacy of their personal information. Finally, national uniformity will allow federal institutions to consistently and effectively manage data security while also enhancing America’s national security against our cyber adversaries.