A few weeks ago, Jason Weinstein introduced Privacy Perspectives readers to Sen. Patrick Leahy’s (D-VT) Personal Data Privacy and Security Act of 2014, a bill that would enact a federal security breach notification law. While Weinstein’s position is well taken and should be considered as this bill moves through Congress, I believe that there is another issue that deserves considerable debate. In addition to creating the federal breach notification law, §102 of Leahy’s bill would open the door to criminal liability for anyone who “intentionally and willfully” conceals the fact of a security breach. Adding criminal liability is not to be taken lightly, and it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.
The Personal Data Privacy and Security Act of 2014 would require any business entity engaged in interstate commerce that “uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information,” (defined within that Act) to notify any U.S. resident whose information has been, or is “reasonably believed to have been,” accessed or acquired during a security breach. If notice is required, the statute states that the notice must be made “without unreasonable delay” following discovery of the breach. A “reasonable delay” would include the time necessary to determine the scope of the security breach, prevent further disclosures, conduct a risk assessment of the disclosure or “restore the reasonable integrity of the data system.” The statute would also provide a number of notice exemptions, such as exempting notification if such a disclosure is determined by the F.B.I. or the Secret Service to possibly “reveal sensitive sources” or impede law enforcement investigations.
The language of the proposed law is quite vague. The bill’s notification requirement provides a temporal buffer for “reasonable delay.” However, the criminal statute does not seem to account for this buffer.
Leahy’s proposal would provide a single, uniform regulation for companies to follow, which would alleviate a major burden on companies who are currently wrestling with different state breach laws in order to stay in compliance. A 2012 whitepaper published by the Congressional Research Service found that because of the numerous state security breach notification laws, “businesses engaged in interstate commerce are confronted with compliance challenges and cite the lack of uniformity as justification for a national security breach notification standard.” Leahy’s bill attempts to solve this problem, but goes a step futher and adds a new criminal statute, 18 U.S.C. § 1041, which would read:
Whoever, having knowledge of a security breach and of the fact that notice of such security breach is required under title II of the Personal Data Privacy and Security Act of 2014, intentionally and willfully conceals the fact of such security breach, shall, in the event that such security breach results in economic harm to any individual in the amount of $1,000 or more, be fined under this tile [sic] or imprisoned for not more than 5 years, or both.
This is cause for concern.
To begin with, the language of the proposed law is quite vague. The bill’s notification requirement provides a temporal buffer for “reasonable delay.” However, the criminal statute does not seem to account for this buffer. For example, if you have knowledge of a security breach that compromised customer credit card records—a form of “sensitive personally identifiable information”—and you know that disclosure is required under Title II—and you do not meet any of Title II’s exemptions—but purposely hold off on disclosing the beach in order to, say, “determine the scope of the security breach,” are you criminally liable? You’ve “willfully and intentionally” concealed a breach that you know needs to be disclosed, so you would seem to be under this proposal. Remember, the proposed language doesn’t punish intentionally and willfully concealing the fact of a security breach in disregard of the requirements of Title II, only intentionally and willfully concealing a breach for which you know notice is required. Also, who exactly is now criminally liable? Those who know of the breach and know that notification is required could cover a lot of employees, especially if the breach is significant.
This ambiguity is a recipe for disaster.
Only after companies evolve and adapt to such a federal breach notification law should criminal liability be considered.
Irrespective of the bill’s currently language, the broader issue of whether criminal liability should be included within a data breach notification law poses a much more vexing question. Responding to breaches involves a number of moving pieces, especially when dealing with a large corporation or a potentially massive breach (Angelique Carson wrote a great piece addressing this for The Privacy Advisor). Thus, there may not necessarily be any malicious intent when “concealing” a known security breach. Assessing and eradicating malicious code or intruders, assessing the scope of the problem and determining the best method of notice, are all legitimate decisions that take time after discovery of a breach.
The former head of the cybercrime unit at Manhattan’s U.S. Attorney’s office, Joseph DeMarco, stated that “[a] breach investigation could take weeks or months before you know enough to have a legal obligation to disclose,” and that “[i]t’s a judgment call.” It’s no wonder why many security breach notification laws—including this bill—provide time for companies to evaluate the breach in more detail, even after discovery, before requiring disclosure to consumers. Now there clearly is a line that needs to be drawn for when delaying disclosure no longer benefits consumers, but add in the possibility for criminal liability and the “judgment call” DeMarco referred to may be one predicated on haste and fear. The thought of an ensuing criminal investigation for “holding off” on a required disclosure would surely dictate a company’s decision on whether or not to disclose, even if delaying disclosure would be a sensible move for both the company and consumers.
This isn’t to say that criminal liability may not at some point be a worthwhile consideration. However, the creation of a federal breach notification law would be a triumph in and of itself. Only after companies evolve and adapt to such a federal breach notification law should criminal liability be considered. Even then, there should be extensive debate on whether intentionally withholding the breach and miniscule economic harm should be all that is required to impose criminal liability. When or if that time comes, the question of criminal culpability should go beyond whether a company intentionally withheld notification and should search for the root of the malicious intent we hope to deter.
The consensus is clear that companies will benefit if they have one, distinct statute on how to notify consumers of security breaches instead of the many state laws currently in place today. If any bill currently making its way through Congress has a chance to make that a reality, the Personal Data Privacy and Security Act of 2014 would be it.
However, if such a federal breach notification law is to come to fruition, we must thoroughly discuss and debate whether it is wise to add a criminal sanction for intentionally concealing a data breach, and if so, what exactly that statute should entail. A company may have a rational reason for withholding the disclosure of a known security breach, and criminal liability may significantly distort a company’s decision making process. Adding a possible prison sentence for company employees who voluntarily delay disclosure, as Leahy’s bill proposes, could greatly hinder companies trying to effectively and accurately respond to security breaches.