Federal Cybersecurity Legislation Moving Quickly, But Is It In the Wrong Direction?

Marcus Lee
Moore & Van Allen PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Federal cybersecurity legislation seeking to establish a national standard for data protection and breach response is quickly working its way through the legislative process.  The bipartisan bill, formerly known as the Data Security And Breach Notification Act of 2015 (hereafter “cybersecurity bill”), was introduced into the U.S. Senate on April 16, 2015, by Sen. Tom Carper (D-Delaware) and Sen. Roy Blunt (R-Missouri).   According to the bill, it is intended to provide a “clear set of national standards that would help the prevention of and response to data breaches at public and private institutions.”  The cybersecurity bill, which has been extensively revised and amended by both parties, has made its way through the House Energy and Commerce Committee and is ready for debate before the full Senate.

The current version of the cybersecurity bill requires a business to inform customers within 30 days if their data might have been stolen during a breach. The 30 day notification period starts when the business has discovered the breach and conducted a good-faith investigation to determine if there is a reasonable risk of identity theft, financial fraud or economic loss or harm.  Third-party vendors must notify affected consumers on the same schedule.  Also notable, the cybersecurity bill completely preempts all 49 state-level notification and security requirements (many conflicting) and establishes a single national standard for compliance.

Proponents of the cybersecurity bill, such as the American Banking Association, laude the bill as a comprehensive bipartisan effort that “will help facilitate increased cyber intelligence information sharing between the private and public sectors, and strikes the appropriate balance between protecting consumer privacy and allowing information sharing on serious threats to our nation’s critical infrastructures.”   However, critics of the cybersecurity bill, including privacy advocates, suggest that the bill is a step backwards because it is weaker than the data security and breach notification standards that the public currently enjoys under stronger state laws (which will be preempted) and existing federal law.  The national standard established by the cybersecurity bill – that a business must maintain “reasonable security measures and practices” – has also been criticized as too vague and could lead to being overly intrusive in business and consumer privacy.

We will continue to monitor the progress of the cybersecurity bill and keep you informed as it makes its way through the legislative process.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Moore & Van Allen PLLC | Attorney Advertising

Written by:

Moore & Van Allen PLLC
Moore & Van Allen PLLC
Contact
more
less

Moore & Van Allen PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide