On November 30, three Senate Democrats introduced the now third pending bill concerning data breach response and substantive data security requirements, all three of which came in the wake of the Uber and Equifax data breaches, and the stunning revelation that Uber hid the breach for over a year. Indeed, as is now well known, Uber went so far as to pay a hacker or hackers to conceal the breach and delete the compromised data.
As the old maxim goes, “bad facts make bad law,” although the maxim usually applies to case law, not legislation. In the data breach world, however, it is becoming more and more clear that bad breaches can lead to bad data security legislation. Case in point, the rise of state-law “reasonableness” standards in relation to substantive information security controls, as found in the newly-proposed SHIELD Act in New York. A law requiring companies to be “reasonable” in their cybersecurity practices may seem perfectly reasonable, until you realize that the only consensus one can achieve as to what a “reasonable” set of cybersecurity controls might be is that consensus on that topic is neigh impossible. Indeed, after a breach, pre-breach security practices are always seen in a negative light, such that what was reasonable before even a zero-day exploit may seem unreasonable after the exploit, depending on the circumstances of the resulting breach.
Back to the Senate, the three pending Democratic bills differ on a number of points, but one common thread is a criminal penalty for concealing a breach, specifically up to five years in federal prison for “intentionally and willfully conceal[ing] the fact of the breach.” See S. 2179, 115th Congress (proposed addition of 18 U.S.C. § 1041). Here again, a bad breach may be making bad law. Although it is unclear whether anything like the three pending Democratic bills will pass through Congress, let alone be approved by the current administration, the move toward criminalizing improper breach response is a game changer. 48 states, 3 territories, the District of Columbia, and New York City (as well as other jurisdictions around the nation) already require notification following a data breach, on pain of potential fines, investigation, injunction, and negative publicity. Adding personal criminal liability to the mix will only lead to over-reporting, or overly early reporting, which can create more harm than good.
Over-reporting, or overly early reporting, can lead to increased breach response costs for the breached entity. It can result in negative publicity and a precipitous loss in stock price or brand equity. It can also create confusion and upset with the individuals receiving the notice, because early in the breach response process, a fog of war surrounds the facts of what was breached, if anything, and who was affected, if anyone. Often, in the days and weeks following a suspected breach, an incident that appeared to involve widespread compromise of protected information can prove to have been more limited in scope, or an exfiltrated file can prove to have protected with strong encryption, which provides a safe harbor from notification under the various state-law reporting requirements that may apply.
But with the sword of prosecution and prison hanging over the heads of everyone in an organization, from the server room to the board room, we could see more knee-jerk notification, with disastrous results. Certainly, someone should be held to account for concealing a breach. In the court of public opinion, we are - - perhaps rightly - - quick to judge, based on the sensationalist reporting we see on the subject. Indeed, a truism for 2017 has been that nothing opens the nightly news more poignantly, or leads to more clicks on-line, than a juicy story about a major corporation (or government entity) falling down in relation to breach response. But when lawmakers begin proposing jail time for potentially any employee involved in breach response, a more circumspect approach may be warranted.