2015 CONGRESSIONAL DATA SECURITY AGENDA: A TO-DO LIST FOR THE 114TH CONGRESS

Introduction Rarely does a week go by without the announcement of another major data breach that has put thousands, or even millions of consumers at risk of fraud. From malicious use of compromised credit and debit cards, to increased identity theft risk to drained bank accounts, the threats are real and impact millions of consumers. While malicious hacking has been a problem since the dawn of the Internet Age, the unprecedented interconnectedness of our marketplace combined with an increasingly organized and skillful cyber criminal underground threatens consumer trust in the marketplace. A key challenge for the incoming 114th Congress will be to implement long-needed reforms that will protect American consumers personal data from malicious use by criminal hackers. For too long, inertia and fear of unintended consequences has prevented serious legislative efforts to address data insecurity in all but the most sensitive arenas. However, there is practically no piece of data that, when compromised, cannot be monetized at the expense of consumers nationwide. It is for this reason that NCL, is calling on our elected leaders to heed the call of millions of consumers to adopt the Congressional Data Security Agenda in the next Congress. The agenda items below represent ideas that have already been adopted in many states and should be applied nationally. Additionally, economic incentives that promote the adoption of strong cybersecurity safeguards by private enterprise are common-sense solutions. Finally, enforcement should be beefed up, with expert agencies given the tools they need to protect the growing amount of valuable consumer data coursing through the marketplace today.

2015 Congressional Data Security Agenda Create a strong national data breach notification standard When a breach occurs, consumers should be made aware of the threat to their important personal information. Modeled on strong state notification laws such as California’s, a national data breach notification standard would ensure that all consumers would benefit from this protection. It would also put companies on notice that data breaches will not go unreported. Require data holders to abide by reasonable data security requirements Under existing law, companies collecting health and financial data are already required to institute reasonable data security measures. Ten states have already passed comprehensive data security standards. Given the multitude of ways that other sensitive data can be misused by cybercriminals, it is important that all data collected and stored about consumers be protected.

Clarify and strengthen the FTC’s data security authority The Federal Trade Commission is the primary cop on the beat when it comes to holding organizations accountable for protecting consumers’ data, bringing more than fifty data security actions. However, the Commission’s authority in this area has been called in to question in the courts. In addition, the Commission lacks civil penalty authority. By clarifying its role and giving its actions real teeth, Congress can give consumers greater confidence in their data’s security. Promote robust cyber-insurance underwriting standards Even with strong cybersecurity defenses, organizations can still be hacked. When breaches happen, consumers should be made whole for the increased risk of identity theft and other harm they sustain as a result of the breach. Promoting a rigorous cyber insurance market will also incentivize the creation of underwriting standards that can adapt to changing cyber threats more quickly that proscriptive government regulations. Increase federal civil and criminal penalties for malicious hacking Cybercriminals can hack in to corporate, government and other organizations networks and escape with millions of dollars worth of data. Increasing penalties for these criminals would strengthen the disincentive to engage in the crime and ensure that those convicted would be severely punished. Strengthen international anti-cybercrime partnerships Modern cybercriminals benefit greatly from lax or non-existent enforcement of anti-hacking laws overseas. Bringing crooks who defraud American consumers to justice should be an important goal of U.S. foreign policy.

Conclusion

Data security reform is one of the rare issues that has broad bipartisan appeal. More importantly, consumers nationwide would benefit greatly from Congressional actions to strengthen data security protections. Given the increasing frequency, magnitude and cost of data breaches, Congress can no longer sit back and hope the problem takes care of itself. Through strong leadership, Congress can create a framework where the scales begin to tilt back in favor of those who would protect consumers’ data rather than misuse it for their own gain. Learn more about NCL’s #DataInsecurity Project and find out how you can get involved at www.nclnet.org.