Congress can’t accomplish much these days, right? No room for common ground and bipartisan effort? How about trying for an obviously necessary thing that might please everyone across the spectrum (except plaintiffs’ lawyers hungry for a new, deep vein of cases): A federal legislative “safe harbor” for data breach victims.
We are getting used to seeing that hackers of one sort or another have looted a company’s electronic data. Target’s breach is the biggest story to date, and the one that is showing just how wildly expensive such breaches can be to the bottom line of a company. There’s the repair work, the make-goods on fraudulent transactions, and then the lawsuits –dozens of lawsuits. Here’s one sample. Now imagine that such suits –many of them– will follow every data breach you read or hear about. That’s the situation as of today.
I spent part of Thursday morning with one of D.C.’s “super lawyers,” a K-Street wizard on such matters –the sort of fellow whose phone rings in the middle of the night with a frantic General Counsel on the other end who has just been talking to a deeply worried CEO about a hacker attack.
Data security companies will happily tell anyone who will read their websites about the 40-plus state law regimes on data breach notification, and The Storage Networking Industry Association has an online tutorial that gives a glimpse of the level of complexity any business spaces when it comes to the consequences of a data breach. (NB: It is more than a year old but still serves as a guide to the sheer and sudden explosion of laws in this area, and not just in the U.S., but abroad.)
What my lawyer friend told me is that of course California is the worst place when it comes to data breaches –just as it is with wage-and-hour class action suits, and insane environmental rules etc- because the state law allows for class actions against companies that have been hacked, and the damages will run high and the attorneys’ fees higher.
No doubt this is very good for the law business and very bad for every other business, and not just in my state but across the country. So companies pour more and more resources into encryption and security, and hackers multiply and work to crack the codes. A virtual arms race that will never end, but into which Congress could inject a small dose of common sense.
If Congress enacts a “safe harbor” which protects companies against civil liability for third-party hacker attacks and data theft if the targeted company has adopted a set of “best practices” and annually audited their application and upgrade, everyone would win (except the plaintiffs’ bar.). Companies wouldn’t have to undertake such a thing, but the smart ones which are the biggest targets would. No mandates, just incentives. And pre-emption of contrary state law. In the world of cyber-security, we really don’t want the California legislature setting the rules. Here’s the IT Law Wiki link on data breach and notification law the subject interests you further. If you are a CEO, read about Target’s mounting legal woes as the class action suits pile up, and redouble your efforts to protect the date and to prove that you did everything you could to do so. Send a memo with your name on it ordering the “best practices audit.” That way at least you will have something to show your board when the bell tolls for your business.
And for a Congress that isn’t going to making anything much in the way of difficult choices this year, a law that deals rationally with creating a safe harbor makes abundant sense, especially if the choices it offers companies are voluntary ones. Brace yourself, but Senator Leahy has actually got a bill that deals with the general subject, and Republican Senator Deb Fischer of Nebraska is also interested in the subject and sits on the Senate Committee on Commerce, Science, and Transportation, not Senator Leahy’s Judiciary Committee. I point to this latter fact to assure you this isn’t some far-left scheme to take over all of corporate America’s data and mine it for future votes. A serious effort to produce a law that could actually be understood by businesses large and small would be welcome and would greatly enhance American economic growth over the next few decades. Heading off the development of a large plaintiffs’ bar that cheers every time hackers crack a code is a huge incentive for the House GOP to meet with Leahy’s and Fischer’s staffs and work out some framework that doesn’t try and solve everything but which does at least bring some sort of understandable and implementable safe harbor into being to save American companies and consumers from the huge weight of a hundred thousand law suits and bogus cy pres remedies and settlements. (See Chief Justice Roberts’ thoughts on that subject here.)