Companies with sensitive personal information often have security measures in place, but the law does not require them to have any. (Austin B. Smith/Medill News Service)
WASHINGTON—The Senate Judiciary Committee has approved three cybersecurity bills, one of which was sponsored by Vermont Sen. Patrick Leahy, that would toughen penalties for cybercrimes and require businesses to strengthen data security and notify customers of breaches.
The bills were approved last week along party lines. Leahy, a Democrat who is chairman of the committee, said the concepts in the bills had received bipartisan support in the committee in the past, and wondered why the support faded.
“I have no idea why. Unless there’s been business pressure by someone who doesn’t want to comply,” he said. “When I see Republican support in the past, and now they don’t support it, that bothers me.”
The data security requirements would apply only to businesses with personal information on 10,000 people or more, but Leahy said it’s a starting point and he’d like to expand the legislation in the future to apply to all businesses that keep electronic personal information.
“As a consumer, you have a right to expect some privacy in your dealings,” he said. “We in Vermont enjoy our privacy.”
Despite the lack of Republican support in the committee, Leahy will push for full Senate consideration of the bill.
Sen. Charles Grassley, the top Republican on the committee who has in the past expressed concern about data security, led his party’s committee members in opposition.
The bills “could cause a lawsuit explosion on all businesses, large and small,” the Iowa Republican said at the Judiciary Committee hearing.
In the committee hearing, Grassley also expressed concern that a customer notification for every security breach would cause an inundation of notifications that would lead to desensitization that he called “a boy who cried wolf situation.”
Because most states have data-breach notification laws, companies are already sending the alerts, but a single federal law would simplify things, said David Sohn, senior policy counsel for the Center for Democracy and Technology, nonprofit that advocates for a free-operating Internet and worked the committee to support the bill.
“In terms of protecting consumers, this essentially is a step sideways,” he said. “At the end of the day, right now, when data breaches happen companies are feeling like they have to notify.”
Sohn also said the bill is worded in such a way that data-breach notifications would not be required if accessed data were encrypted or if the company could determine that there was no risk of harm, so he did not foresee an inundation of notifications.
One amendment in the Leahy-sponsored bill did receive bipartisan support. It would clarify an ambiguous section of the Computer Fraud and Abuse Act.
The law can be interpreted to mean that violation of any terms-of-service agreement (i.e. the long-winded legal jargon that you neglect to read before clicking “agree”) or breaking an employer’s computer-use policy could be punishable.
Some say this could be something as trivial as creating a social media account under a pseudonym or checking Facebook at work.
“Some courts have interpreted to make employees who violate computer-use policies subject to civil and criminal penalty,” said Greg Nojeim, senior counsel at the Center for Democracy and Technology.
“It gives too much power to the people who write these policies,” he said.
In one case, United States of America v. Nosal, an employee accessed company files at work that he was not authorized to access but could obtain without hacking. He was convicted under the Computer Fraud and Abuse Act.
Leahy’s proposal would state that the law does not apply to service agreements or computer-use policies with Internet service providers, websites or private employers.