Support The Wire

How Safe is Your Information Online? Lawmakers Debate Upping State Requirements for Data Breaches

As Washington state moves to combat an increasing threat posed by data breaches and hackers, differing viewpoints are emerging about how best the state can confront the issue.

Rep. Zack Hudgins, D-Tukwila, is carrying several bills on the subject, including one that wants to stiffen disclosure requirements on any business that gets hit by a security breach that involved exposing sensitive consumer data such as names, addresses, social security numbers, driver’s license number, or bank account or credit card numbers.

Every month seems to bring news of another major U.S. firm victimized, including Target, Sony, Home Depot, or K-Mart in the last year alone. Anthem, one of the largest health care insurers in the country, was hit in one of the largest corporate breaches in U.S. history this year, with a database containing 80 million customers’ records being hacked, according to CNN.

Hudgins is aiming to update two laws the Legislature adopted in 2005, one pertaining to businesses and individuals, and the other to state agencies. He has a series of bills on the subjects:

  • HB 1078 would increase the notification requirements for private companies in the event of a breach, including bringing in the Attorney General’s Office if it involved 500 or consumers
  • HB 1466 would establish higher standards for the level of data encryption required for some information maintained on state government databases
  • HB 1469 requires that state agencies begin to start shedding rolls of payment credential data by 2018, and placing it in the hands of third party companies with higher encryption standards
  • HB 1561 makes information technology security discussions devoted to the state’s open meetings act
  • HB 1468 allows for the governor to declare a state of emergency due to a cybersecurity breach
  • HB 1470 sets up a blue ribbon panel to examine cybersecurity issues.

As Hudgins acknowledged in a committee hearing on his consumer notification bill last month, the point isn’t to prod the companies into doing more to protect the information – they’re doing that already.

“I don’t think the Legislature telling Target not to get hacked is going to make them want to get hacked any less,” Hudgins said. “We can try and find a solution before it gets any worse.”

And, as Shannon Smith of the Attorney General’s Office put it, consumer notification of a breach is one of the most effective means of protecting them in the event a major Washington company does get hacked.

“Notice to consumers is one of the greatest protections we can afford to them to protect themselves from identity theft,” Smith said at last month’s hearing.

Yet, business groups expressed some concerns about the methods of Hudgins’ legislation, while one expert said it didn’t go far enough.

Craig Spiezle, executive director and president of the Online Trust Alliance, called Hudgins’ bill a good first step at updating the laws to meet current realities, but believes it’s too narrow in scope. The bill deals mainly risks posed by exposed bank accounts or financial information, but Spiezle argued the risks are broader than that because people use common user names and passwords for personal email accounts or on social media networks.

Other states are imposing tougher disclosure standards, and Congress is looking at upping the federal requirements as well, Spiezle said.

“It’s not just financial passwords,” Spiezle said. “This is a step in the right direction. A lot of states are grappling with this. How do you define sensitive personal information?”

But others worried about being too broad, and flooding consumers with notifications of breaches that may not result in sensitive information being disclosed. Scott Hazelgrove of the Direct Marketing Association, a trade group representing a nationwide consortium of marketing companies, said his group was concerned that removing an exception for encrypted data would expose companies to litigation risks.

“We want the rules to be clean, fairly applied,” Hazelgrove said.

Denny Eliason, representing the state’s banking association, argued that the efforts were duplicative considering the regulatory scrutiny already applied through federal Gramm-Leach Bliley Act. The bill’s original draft exempted medical agencies and businesses covered by the Health Insurance Portability and Accountability Act, which is doctors, dentists, hospitals, nursing homes, insurance companies and HMOs, among numerous other entities.

Eliason argued that banks regulated under Gramm-Leach Bliley should be exempted as well, and succeeded in getting the bill amended to exempt them so long as they remained in compliance with the federal law.

He also said the notification requirement of a 30-day window was too short given all of the processes required after of a cyber-security breach, and the latest iteration of the bill extends that out to 45 days.

“I know 30 days sounds like a lot,” Eliason said. “We don’t want to notify too much. We want it to be meaningful.”

Spiezle said that’s too long – consumers need the information as quickly as they can.

“Business should notify as soon as possible,” Spiezle said.


Your support matters.

Public service journalism is important today as ever. If you get something from our coverage, please consider making a donation to support our work. Thanks for reading our stuff.