author photo
By Bruce Sussman
Thu | Mar 5, 2020 | 9:21 AM PST

It's one of those hearings in Congress that will barely be reported.

But it may well influence whether the United States implements a national data breach notification law and what that law may look like.

Arguing for a national data breach disclosure law

We've just finished reviewing the testimony of Adam Hickey, the Deputy Assistant Attorney General, National Security Division, of the U.S. Department of Justice.

He argued that a national breach notification law should be broad in scope and require notification to law enforcement, especially because many organizations are reluctant to take that step.

Here are key paragraphs from his testimony.

The data security and privacy problems are growing

Hickey started his testimony by explaining four reasons that data security is becoming more vital than ever before:

"The Department has been increasingly concerned about the national security consequences of sensitive personal data falling into our adversaries' hands.

First, there is vastly more information about us and our habits stored online than there ever was before, and with the proliferation of connected devices, the volume of that information will continue to increase exponentially.

Second, while any individual piece of consumer data is probably not a national security secret, a mosaic of personal information can enable computer hackers and intelligence officers alike to better target us, by guessing our passwords, tricking us into responding to a phishing request, or, more darkly, exploiting our weaknesses, fears, or ambitions.

Third, the extent to which we are connected to each other (online and otherwise) means that information about people who do not themselves know national security or corporate secrets (perhaps our friends and relatives) can be exploited to target those of us who do.

And, fourth, as recent studies have shown, even masked or purely transactional information, when collected in bulk, can be very revealing when mined and analyzed."

Pushing for a national breach notification law

Later in Hickey's testimony, he requested Congress take action by helping to reveal data breaches to law enforcement.

"In 2018, the White House's Council of Economic Advisors observed that most data breaches are not reported to the U.S. government.

This reluctance may be driven by a fear of regulatory action, of reputational harm, or of an interruption to business operations. The
reluctance of organizations and businesses to disclose that they have been attacked constitutes a major challenge for the U.S. government in its battle against cybercrime.

Law enforcement cannot be effective without the cooperation of crime victims. A lack of cooperation may not only prevent discovery of evidence that could lead to identifying and holding the threat actors accountable, but also creates barriers to fully understanding the threat environment.

The Department has been actively evaluating statutory data breach notification requirements. Currently, there is no federal reporting requirement or standard. All 50 States have enacted separate notification laws setting standards governing notification by private
entities when a data breach occurs, and companies must navigate and comply with the varying requirements in multiple jurisdictions.

In the wake of recent high-profile data breaches exposing Americans' personal information, there is revived interest in national notification requirements.

As you and your colleagues consider a national data breach standard, we would urge you to follow the model of many State statutes and include a requirement to promptly notify law enforcement in addition to, and in advance of, notification of impacted consumers.

Government notification would increase Federal law enforcement's ability to pursue hackers and prevent data breaches. The Administration is actively working on proposed legislation, and we look forward to working with Congress on this important issue."

Is a national notification and privacy law a good idea?

In our recent podcast interview with cyber attorney Jordan Fischer of XPAN Law Group, we talked about the state-by-state approach which is confusing and time consuming to track.

She calls the current legal landscape a "target of moving targets."

But she's also reluctant to say we need a national data breach or privacy law:

"If the national standard is going to get all companies closer to a higher level than I think you could argue that it's better. But my concern would be that the stronger protections we're seeing in certain states, would be dampened by a national data protection
regulation. And it's so hard to tell right now, because we don't know what Congress might come up with."

Fischer also says organizations looking to tackle the current state-by-state privacy and data breach laws can do so effectively.

"Especially if you look at the C suite, the leadership level, those executives are almost afraid to delve into this. It feels like Pandora's box, I'm going to open up this can of worms that I don't know if I'm going to want to deal with.

But a lot of times you might be doing good things, you just don't know it."

She further unpacks how to approach this landscape and what is developing in cyber and privacy law during the podcast.