Renewed Congressional Interest in Federal Data Security and Breach Notification Legislation

by Akin Gump Strauss Hauer & Feld LLP

In light of recent, well-publicized, data security breaches at major retailers and social media company Snapchat, legislators are renewing the call for new federal laws that would strengthen data security and notification requirements.

On December 19, 2013, Target issued a press release disclosing that approximately 40 million credit and debit card account numbers had been hacked from its system, a number that has since risen to potentially as many as 110 million accounts. The breach is currently being investigated by the U.S. Secret Service Electronic Crimes Task Force. Further, state attorneys general across the country said they will examine whether Target provided enough protection for its customers. On New Year’s Eve, an anonymous group or person hacked into Snapchat’s servers and publicly released the usernames and phone numbers of more than 4.6 million Snapchat users. Additionally, on January 11, 2014, retailer Neiman Marcus confirmed that hackers had breached its servers and accessed customer payment information.

Citing the Target data breach, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) introduced the Personal Data Privacy and Security Act (S. 1897). The bill would create a national standard for data breach notification, require that companies engaging in interstate commerce keep consumer data they collect secure from outside intrusion or public release, and allow the assessment of potential criminal and civil penalties. Additionally, Sen. Edward J. Markey (D-MA), a member of the Senate Commerce Committee, released a statement saying that the Target breach illustrates the need for stronger data security standards.

Sen. Tom Carper (D-DE) also announced that he plans to reintroduce similar legislation that would create a national reporting standard for data breaches that would apply to both retailers and financial institutions. Sen. Pat Toomey (R-PA) has had a similar bill, the Data Security and Breach Notification Act of 2013 (S. 1193), pending before the Senate Commerce Committee since June 2013. That bill would grant the Federal Trade Commission (FTC) new authority to establish and enforce regulations requiring companies to protect consumer data and notify consumers in the event of a breach.

Additionally, some lawmakers are calling on the FTC to investigate using its current authority. In a letter to the FTC on December 22, 2013, regarding the recent Target breach, Senator Richard Blumenthal (D-CT) wrote that “it appears Target may have failed to employ reasonable and appropriate security measures to protect personal information.”

While the introduction of new legislation amid the Target and Snapchat breaches increases the likelihood that data breach notification requirements will gain some traction on Capitol Hill this year, it remains to be seen whether broader, more comprehensive action on consumer privacy rights and data security will occur. A broader privacy bill pitched by the Obama Administration, known as the “Consumer Privacy Bill of Rights,” is also unlikely to see significant legislative action. That proposal would focus on giving consumers individual control of how their data is collected and used while requiring companies that collect consumer data to be more transparent about their use and protection of the data. The proposal would rely on a combination of increased FTC enforcement authority, along with new legislation to accomplish those goals.

So far, Congress’s focus in this area in 2014 is centered on data protection and breach notification, as opposed to other topics, such as consumer privacy rights. Indeed, the House passed a bill on January 10, 2014, that focuses on data security rules for, the federal government website where the public can sign up for health insurance coverage under the Affordable Care Act. The bill, sponsored Rep. Joe Pitts (R-PA), would require the Obama Administration to notify federal and state exchange users within two days if their personal data has been breached. While the bill was supported by 67 House Democrats, it is being seen more as a political measure than a policy shift toward support for a uniform federal breach notification standard for private companies. The bill is not expected to be taken up in the Senate.

Whether Congress will or should act on consumer data protection and breach notification remains open for debate. Given the current patchwork of state regulations concerning breach notification, some companies may welcome a single, reasonable federal standard. Some stakeholders argue, however, that such federal standards are unnecessary, given companies’ self-interest in protecting their customers’ personal information. Indeed, just this week, it was reported that Target will offer customers free credit monitoring and identity theft protection in response to the December breach. While some federal legislation may call for such a remedy, Target is not currently required by law to do so.

As the Snapchat breach has shown, data protection and breach notification are not problems for just retailers and financial institutions that handle sensitive consumer and financial data, but also social media companies that harvest troves of personal private data. Data privacy in this realm can lead to complicated legal quandaries.

According to a statement by the Snapchat hacker(s), the breach was made in order to raise public awareness about Snapchat’s inadequate privacy protections and force the company to fix the security flaws the hacker(s) exploited. Snapchat has apologized to its users and promised to remedy the security flaws that allowed the breach. Snapchat, whose premise is the sharing of photographs between mobile devices which are then automatically deleted after a user-specified amount of time, faced earlier scrutiny in May 2013, when the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC, alleging that Snapchat misled its customers when it claimed their photos would “disappear forever.” In practice, EPIC argued, the photos remain stored on users’ phones and could potentially be accessed by someone with specialized knowledge.

While there will always be the threat of malicious actors seeking to obtain and manipulate personal, private data collected by companies for legitimate business purposes, it will ultimately remain in the self-interest of companies to try and stay as far ahead of the hackers as possible, whether or not federal lawmakers ultimately enact comprehensive data protection laws or some form of breach notification requirements. As the old adage goes, “an ounce of prevention is worth a pound of cure.” Congress may decide to legislate greater preventative measures, and if it does, should do so in a way that gives companies the flexibility needed to respond to new threats.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.