AFTER HACKERS STOLE data from Target, Home Depot, and other companies in recent years, President Obama called on Congress to enact legislation setting a national standard governing what companies must do if their networks are breached.

Both Republicans and Democrats in the capital want to do something to improve cybersecurity, but getting to a final product is proving difficult. A federal law would probably preempt state laws to avoid making companies have to comply with a patchwork of rules, but for Massachusetts and other states that would mean reducing consumer protections.

Forty-seven states, including Massachusetts, already have laws on the books governing data breaches and the Massachusetts statute is one of the strongest.

US Rep. Joe Kennedy of Brookline is among those in Congress fighting to slow down or kill the federal legislation. When the House Energy and Commerce Committee voted to approve a bill by Texas Republican Michael Burgess aimed at addressing the problem in April, Kennedy voted no. Kennedy’s protest has slowed the bill’s progress and raised questions about whether it can get through the Senate and be signed into law.

At the subcommittee markup of the bill, Kennedy took a leading role in criticizing it. “I understand why some want to create a single national standard for breach notification. Reducing the burdens on businesses, particularly businesses that were the victims of criminal breaches, is a sensible and laudable goal,” he says. “But we must also ensure that consumers, who are also the victims of breaches, do not lose protections that they currently have in place.”

inquiries

As is the case across the country, Massachusetts companies are regular victims of hackers. According to the state attorney general’s office, Massachusetts firms reported 8,665 breaches between January 2008 and July 2014 in which consumer data belonging to nearly 5 million people were stolen. Hackers typically want the data so they can steal identities, take out credit lines, or raid bank accounts.

The federal bill would require companies to have reasonable security measures in place and to investigate breaches of their networks. If they determine that consumer data that puts customers at risk of financial fraud was stolen, they must inform those customers within 30 days of stopping the breach.
The consumer notice would have to include a description of the information that was stolen and the approximate date of the breach. The notice would also include telephone numbers to obtain more information on the breach, to reach a credit reporting agency, and to contact the Federal Trade Commission where consumers could get more information about identity theft.

The bill would task the Federal Trade Commission with enforcing violations of the law under its authority to police unfair or deceptive business practices. State attorneys general could also enforce the federal law.

Most Democrats in Congress think the bill is too weak because it doesn’t require companies to do anything if non-financial information, such as health records, is stolen, and denies the FTC the power to update the rules going forward.

Kennedy followed up his critique at markup by offering two amendments aimed at limiting the bill’s preemption of state laws, so that state consumer protection laws and common laws enforced by the courts remain in force. Both were defeated on party-line votes. He tried again before the full committee. Again, defeat.

Most of the incursions that have occurred in Massachusetts are small—affecting on average 77 people—and as such the Burgess bill would not require companies to report them to federal law enforcement agencies. A breach would have to affect 10,000 consumers in order to trigger that provision. The bill, theoretically, gives state attorneys general the authority to seek civil fines against companies that don’t abide by the federal rules, but it would require them to step aside if the Federal Trade Commission wanted to handle the case. The bill does not require companies to report breaches to state attorneys general, leaving them a step behind the FTC.

That prompted Sara Cable, an assistant attorney general in the consumer protection division under Attorney General Maura Healey, to write to Burgess earlier this year. “The absence of a requirement to provide notice to state attorneys general of data breaches, even for those breaches that impact a significant number of their residents, frustrates their ability to protect their residents,” she wrote.
The federal bill also would deny consumers a right to seek restitution on their own from a company that lost control of their personal information. The Massachusetts law allows them to sue.

Cable, who testified before Burgess’s committee in March, said that one of her biggest concerns is the preemption of state rules governing what companies must do to protect consumer data. The federal bill sets an ambiguous standard—reasonable security measures and practices—that would leave the courts to decide if a company had done enough.

The Massachusetts law, in place since 2010, is more prescriptive. It requires companies to restrict the access of their own employees to consumer data while blocking former employees’ passwords. It also requires standard security protocols such as firewalls, antivirus protection, and software patches.

Cable also notes that the penalties Burgess would impose aren’t that onerous for big firms. The FTC and state attorneys general could levy fines up to $11,000 per stolen record, with a cap of $2.5 million. First time offenders would pay a maximum of $1,000 per record. That, she told Burgess’s committee, could be treated as a “cost of doing business,” rather than a deterrent.