Social Icons

google plusfacebooklinkedintwitterinstagramrss feedemail

Wednesday, January 4, 2017

UConn Law Professor Testifies Before Congress on Cybersecurity

By Geoffrey J. Miller
Published in The Hartford Courant, Aug. 12, 2013.


Photo Credit: Dallas Business Journal
The U.S. House of Representatives recently invited six distinguished experts, including Professor David Thaw of the University of Connecticut School of Law, to give their opinions on a possible federal law that would govern when companies are required to notify consumers of data breaches. This is the fourth time in less than decade that such a law has been discussed.

When technology expands, the law slowly grows up around it. Often this results in what subcommittee chair Lee Terry (R-Nebraska) referred to as "a patchwork of state and territory-specific statutes...[that] tend to differ from each other in many ways."  This is the case for many laws governing the internet, including those that govern data breach notification requirements.

According to the National Conference of State Legislatures, there are currently forty-six state and four territorial breach notification laws; plus the Federal Health Insurance Portability and Accountability Act (HIPAA), which applies only to medical information. Because a single online breach may affect consumers from all fifty states, it is easy to see how these different and sometimes contradicting laws can be a nightmare for companies who are faced with a security breach.

According to Professor Thaw's testimony, there are several types of notification statutes with different thresholds for determining notification. One option is to require the reporting of all breaches to a central regulatory authority and allow that authority to determine notification. Another option is to have a risk of harm threshold that governs when companies must notify consumers. If the latter system is used, then there is an option to use a "negative threshold requirement" or a "positive threshold requirement." In the event of a breach, a negative threshold requirement requires a company to notify consumers only if its investigation reveals a risk of harm. The problem there is that it rewards companies for doing poor investigations.  If they do not find a risk of harm, then they do not need to do anything.

According to Thaw, an overarching federal regime must incentivize thorough cybersecurity investigations. This is probably best served with a positive threshold requirement, which reverses the burden of proof. Here, the company must disprove risk of consumer harm in order to exempt itself from notification. This incentivizes a thorough investigation because that investigation could exempt the company from notification; saving it time and bad press. According to Thaw, positive threshold requirements provide a built-in layer protection for consumers because good investigations help identify vulnerabilities and increase the chances of catching bad actors.

All six experts generally approved of a federal breach notification regime, though they differed on details and priorities.



One such disagreement was over preemption. Total preemption would mean that the federal law would occupy the whole field of breach notification, overriding state laws.  Kevin Richards, senior vice president of federal government affairs at the technology trade association TechAmerica, argued in favor of "uniform, preemptive standard."  As did Dan Liutikas, chief legal officer of the technology vendor group CompTIA. Liutikas pointed out that "many of these state laws are in conflict with each other."

It is also possible to have partial preemption, where the Federal Government sets a minimum standard, but states would still allowed to experiment with greater protections beyond the federal minimum. Andrea Matwyshyn, an assistant professor of legal studies and business ethics at The Wharton School, said that a basic federal law was a good thing, but that it should not totally preempt state law, noting that "limiting states' rights to impose liability for information security misconduct will further erode consumer trust and damage innovation in the United States."

All things considered, federal preemption makes sense. The internet does not respect state lines and having fifty different regimes is fine for something like burglary, where at most two or three states will be involved, but when someone hacks into eHarmony and gets the name everyone’s first pet or elementary school teacher (important for unlocking people’s passwords); data belonging to people in all fifty states is often taken.  How then is eHarmony supposed to respond to fifty different and sometimes contradictory regimes for when and what to report?  Does it need to alert consumers of a breach?  Only some consumers?  For  deeper discussion of how this issue affects companies, see Standing in the Breach - State Law Requirements When a Customer Data Breach Occurs, by Shane B. Hanson.

The Internet does not respect borders and any area where an incident will easily touch someone in every state is probably better off with a single regime that preempts others. Not having preemption would merely add a another set of guidelines to the stack and might result in a federal regime doing more harm than good.

Additionally, as Professor Thaw pointed out, this area is highly specialized and expensive to enforce. Many states will not be able to keep up with cybersecurity and leaving it up to them might result in duplicative efforts, wasted resources and a sheriff in Tennessee attempting to track down a sophisticated hacker using the Tandy IBM compatible that he got when he was fresh out of the academy. Thaw also noted that "this is a highly interconnected issue across the entire country" and that he "did not believe that the states have sufficient resources for enforcement."

On the flip side, a bad peremptory federal regime would basically nullify all current state-level consumer protections. And unfortunately, doing sweeping reform badly is something with which the government is rather well versed. This may be why Thaw argued in favor of a federal regime, "as long as it was done right."

Thaw advocated a more far-reaching law that would combine data breach notification with overarching cybersecurity reform and impose regulations on companies; obligating them to protect certain data, such as financial records, legal documents, corporate trade secrets, and information about critical infrastructure systems. Thaw’s research indicates that implementing breach notification legislation in conjunction with comprehensive information security is four times more effective at preventing incidents than breach notification alone. He likened doing one without the other to locking a door, but leaving a window wide open.

The future of data breach legislation is far from certain, several previous efforts to write a federal data breach notification statute have failed. After the ChoicePoint data breach, in 2005, the committee proposed the Data Accountability and Trust Act (DATA), but the House failed to vote on it. Similar attempts to federalize data breach notification were made after the the 2009 breaches of Heartland Payment Systems and a Defense Department Fighter-Jet Project and again after a wave of data breaches in 2011 that included Citibank.

Geoffrey J. Miller, UConn Law Professor Testifies Before Congress on Cybersecurity Policy, The Hartford Current (Aug. 12, 2013), http://www.courant.com/community/hcrs-78407-west-hartford-20130809,0,1184211.story.

This Article has also been picked up and republished by Dailypress.com and The Morning Call.


About Professor David Thaw:


David Thaw is a Visiting Assistant Professor at the University of Connecticut School of Law and an Affiliated Fellow of the Information Society Project at Yale Law School. David's research and scholarship examines the regulation of Internet and computing technologies, with specific focus on cybersecurity regulation and cybercrime. Prior to joining UConn, David was a Research Associate at the University of Maryland Department of Computer Science and the Maryland Cybersecurity Center. David also practiced cybersecurity and privacy regulatory law at Hogan Lovells (formerly Hogan & Hartson).  For more about David Thaw, visit his website.