Policy Analysis –
After years of debate (or at least threat of debate) on a Federal data breach notification law, Congress has approached the subject with a new sense of energy in the wake of the Equifax breach. The breach, which may have exposed PII of 143 million Americans, is most notable for how poorly the company handled the announcement and response. It announcing the breach nearly 2 months after discovery and providing unclear, unhelpful, and potentially deceptive notification it provided to those potentially involved. Otherwise, it was just another ho-hum theft of nearly half the country’s PII that occurred as the result of unpatched, known vulnerabilities in poorly architected legacy systems.
So what is Congress going to do about it?
Well, they will hold a few hearings and demand answers with feigned outrage. We’ve seen this before, but it has not led to meaningful reform of breach notification or the legal and economic structure that facilitates the lax approach to security we saw at Equifax. There’s not much reason to think this breach will elicit a different response from Washington. But it is worth noting that the White House has said they will look into new regulations to protect consumers from the impact of such breaches.
Federal Data Breach Notification – Back in 2011 and then again in 2015, the Obama Administration put forward legislative proposals to create a Federal data breach notification standard. These proposals were constructed so as not to “pre-empt” the 47 state laws (good comparison tool here) already in place, or specific industry regulations. As a result, the scope was pretty narrow, which was viewed as the only way to get a law passed. But even such a limited Federal approach didn’t make any headway in Congress, despite a series of large scale breaches. Various bills from different Congressional committees have been introduced since, but none have made serious progress towards becoming law.
As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of H-ISAC.