Legal Sidebari What Legal Obligations do Internet Companies Have to Prevent and Respond to a Data Breach October 25 2018 Recently large Internet companies—i e companies that do most of their business on the Internet such as social media platforms or search engines—have made headlines after failing to secure their users’ personal information For example on September 28 2018 Facebook announced a security breach affecting tens of millions of user accounts According to Facebook hackers exploited a vulnerability in its code that allowed them to steal “access tokens ” which are the “equivalent of digital keys” that “keep people logged in to Facebook ” Facebook later disclosed that of the affected accounts hackers accessed the names and contact details of 15 million users and the biographical information of another 14 million users Just over a week after Facebook’s breach on October 8 2018 Google in announcing the end of its social network Google disclosed that a software glitch exposed the personal data associated with up to 500 000 Google accounts Google explained that it discovered and resolved the glitch in March 2018 and that there was no evidence anyone misused the exposed data The Internet search giant reportedly made an initial decision not to disclose the incident before reversing course and shutting down the Google platform following a Wall Street Journal investigation These incidents raise the question what legal obligations do Internet companies have to prevent and respond to data breaches This Sidebar considers the answer to this question under federal and state law The Sidebar then discusses several factors Congress might consider when weighing future legislation Federal and State Law on Preventing Data Breaches In contrast to the European Union which recently adopted a wide-reaching data privacy law called the General Data Protection Regulation GDPR there is no comprehensive federal law requiring all entities or individuals who collect personal information electronically to maintain the security of such data Rather the few federal data security laws that do exist are primarily directed at specific industries For instance the Gramm-Leach Bliley Act GLBA and its implementing regulations require financial institutions to maintain comprehensive information security programs to safeguard customers’ nonpublic personal information Similarly the regulations implementing the Health Insurance Portability and Accountability Act HIPAA require covered healthcare companies to maintain safeguards to prevent data security threats to electronic “protected health information ” Other sector-specific federal laws that Congressional Research Service https crsreports congress gov LSB10210 CRS Legal Sidebar Prepared for Members and Committees of Congress Congressional Research Service 2 require certain entities to adopt data security measures or limit the circumstances under which those entities may disclose personal information include the Driver’s Privacy Protection Act governing state departments of motor vehicles the Privacy Act of 1974 governing federal agencies the Fair Credit Reporting Act governing credit reporting agencies and the Children’s Online Privacy Protection Act COPPA governing online operators that direct their services at children or knowingly collect children’s data Notably no federal data security law specifically directs Internet companies falling outside the reach of these sector-specific statutes to adopt security measures designed to protect personal data from unauthorized hacks or unintentional exposure Such companies may nonetheless have obligations under federal consumer protection laws In particular the Federal Trade Commission FTC Act empowers the FTC to prevent companies from engaging in “unfair or deceptive acts or practices” commonly referred to as “UDAPs” “in or affecting commerce ” The FTC Act allows the FTC to seek equitable relief including preliminary or permanent injunctions in UDAP enforcement actions The Commission may however only seek civil monetary penalties if the party has violated a consent decree or a regulation defining a specific type of conduct as a UDAP The FTC has used its UDAP authority to bring a number of enforcement actions against companies that fail to invest adequately in data security Often the FTC maintains that such failures are “deceptive” because they contradict companies’ past security promises For instance in 2014 the social media company Snapchat settled FTC charges alleging that its failure to secure its “Find Friends” feature allowed hackers to compile 4 6 million user names and phone numbers The FTC alleged that Snapchat acted deceptively because the company’s privacy policy said that it had taken reasonable data security measures Along with “deceptive” claims the FTC has also recognized that failing to safeguard user data adequately may be “unfair ” The FTC Act provides that an act or practice is only “unfair” if it “causes or is likely to cause substantial injury to consumers ” is not “reasonably avoidable by consumers ” and is “not outweighed by countervailing benefits ” At least one court has agreed that a company’s failure to safeguard user data may in some circumstances meet this standard However the extent to which the FTC may rely on its “unfairness” authority is unclear A recent Eleventh Circuit decision suggests that the FTC needs to allege specific failures and remedies in order to successfully issue a cease and desist order based on a company’s “unfair” data security measures In that case LabMD v FTC the court noted that the FTC’s order “contains no prohibitions” but “commands the company to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness ” The court concluded that such an order is unenforceable reasoning that penalizing a company for failing to comply with an imprecise standard “may constitute a denial of due process” and that the order “effectually charges the district court enforcing the order with managing the overhaul ” In addition to the FTC Act’s UDAP provision Internet companies must comply with a number of state laws regulating data security Thus far at least 22 states have enacted laws of general applicability governing data security These statutes generally require companies to maintain “reasonable” security procedures to protect personal information While many state laws do not specify what constitutes a “reasonable” procedure some states like Massachusetts specify in detailed regulations the types of measures required State consumer protection laws and common law causes of action—such as negligence negligence per se often based on federal statutes like FCRA or GLBA negligent misrepresentation fraud or breach of contract—may also apply For instance following Home Depot’s data breach affecting more than 50 million cardholders consumers sued the company alleging negligence negligence per se and violations of multiple state consumer protection laws Federal and State Law on Responding to Data Breaches Federal laws and regulations impose relatively few obligations on companies that suffer data breaches and are generally directed at specific sectors such as the banking under GLBA interagency guidance or healthcare industries under HIPAA regulations However as the Security and Exchange Commission Congressional Research Service 3 SEC indicated in February 2018 guidance publicly traded companies may be required to report breaches in their public filings with the SEC because federal securities laws and regulations prohibit companies from omitting material facts necessary to make statements made in connection with the purchase or sale of any security “not misleading ” The SEC guidance does not articulate a bright-line approach for determining when companies must report a data breach and does not include any categorical exemptions such as exemptions for de minimis breaches Rather the guidance directs companies to consider whether a breach is material to investors in light of factors such as the nature of the compromised information potential magnitude of the breach and range of harm caused by the breach Since issuing the guidance the SEC has brought at least one enforcement action against a company for failure to report a data breach In April 2018 Yahoo Inc ’s successor company agreed to pay a $35 million penalty to settle SEC charges that the company mislead investors by failing to report a major 2014 data breach in which hackers acquired personal data associated with hundreds of millions of user accounts Although there are few federal laws regulating responses to data breaches the states have addressed the issue As of March 2018 all 50 states have enacted data breach response laws The laws’ specifics vary significantly however creating in the view of some commentators uncertainty for companies responding to data breaches For instance some states require notification after any breach of non-encrypted personal information e g New York while others require notification only if the breach is likely to cause “substantial harm” to individuals e g Alabama Furthermore some states require companies to notify affected individuals within a certain time frame such as 30 days e g Florida 45 days e g Washington or 60 days e g Delaware while others simply require companies to provide notice “without unreasonable delay” e g California State laws also differ in how they define personal information whether and when companies must notify any state agencies the required contents of the notice the required method of notice e g some states allow for substitute notice while others do not and who can bring actions for violations while most states only empower the attorney general to enforce violations some states allow private causes of actions in addition to attorney general enforcement Despite their differences state laws generally require companies to notify affected individuals regardless of whether the breach resulted from an inadequate data security program State laws typically define a triggering breach as involving the “unauthorized acquisition” of personal information These definitions generally do not require that the “unauthorized acquisition” be caused by companies’ security failures nor do they necessarily contain carve-outs for companies with adequate data security programs in place e g California Texas New York Because breaches are typically defined as the “unauthorized acquisition” of personal data companies generally are not required to notify individuals when there is a lack of evidence that the company’s failure resulted in a third party possessing personal data without authorization Nonetheless a handful of states Puerto Rico New Jersey Florida and Connecticut depart from this general rule by defining data breaches to include the “unauthorized access” to personal information As some commentators have noted “unauthorized access” may be a lower standard that covers situations where personal data is merely exposed to unauthorized individuals even if those individuals did not actually gain possession of the data Considerations for Congress While there is a relative absence of federal law on how Internet companies should prevent and respond to data breaches a number of bills have been introduced on this issue Any data security legislation raises several legal considerations for Congress First Congress might evaluate the scope of the covered subject matter and entities In terms of subject matter legislation could impose preventative data breach measures e g H R 6864 responsive data breach measures e g H R 3816 or both e g H R 4081 In terms of entities legislation could cover all companies subject to the FTC or another agency’s jurisdiction e g H R 5388 or it could take Congressional Research Service 4 a sector-specific approach and only cover Internet companies e g S 2728 Second Congress might consider the appropriate enforcement agency and the nature of its authority While many proposed bills would designate the FTC as the primary enforcer legislation has differed on the way in which the FTC would enforce violations For instance some bills would rely on the existing framework under the FTC Act by directing the FTC to treat violations of the bill as violations of a UDAP regulation Other bills would give the FTC and Department of Justice shared enforcement authority or would create an entirely new “Office of Cybersecurity” to enforce violations Third to address concerns about the lack of uniformity among state data breach legislation Congress might consider the extent to which any new federal legislation would preempt state laws For example some legislation would expressly preempt any similar state laws while others are silent on the issue or would only preempt “less stringent” state laws These and other legal issues could be of importance as Congress considers legislation in light of recent concerns over how Internet companies are protecting and responding to threats to cybersecurity Author Information Chris D Linebaugh Legislative Attorney Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material LSB10210 · VERSION 2 · NEW