DPI16_Banner_300x250 WITH COPY
Is A Criminal Statute Necessary To Supplement a Federal Breach Notification Law?

A few weeks ago, Jason Weinstein introduced Privacy Perspectives readers to Sen. Patrick Leahy’s (D-VT) Personal Data Privacy and Security Act of 2014, a bill that would enact a federal security breach notification law. While Weinstein’s position is well taken and should be considered as this bill moves through Congress, I believe that there is another issue that deserves considerable debate. In addition to creating the federal breach notification law, §102 of Leahy’s bill would open the door to criminal liability for anyone who “intentionally and willfully” conceals the fact of a security breach. Adding criminal liability is not to be taken lightly, and it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.

The Personal Data Privacy and Security Act of 2014 would require any business entity engaged in interstate commerce that “uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information,” (defined within that Act) to notify any U.S. resident whose information has been, or is “reasonably believed to have been,” accessed or acquired during a security breach. If notice is required, the statute states that the notice must be made “without unreasonable delay” following discovery of the breach. A “reasonable delay” would include the time necessary to determine the scope of the security breach, prevent further disclosures, conduct a risk assessment of the disclosure or “restore the reasonable integrity of the data system.” The statute would also provide a number of notice exemptions, such as exempting notification if such a disclosure is determined by the F.B.I. or the Secret Service to possibly “reveal sensitive sources” or impede law enforcement investigations.

The language of the proposed law is quite vague. The bill’s notification requirement provides a temporal buffer for “reasonable delay.” However, the criminal statute does not seem to account for this buffer.

Leahy’s proposal would provide a single, uniform regulation for companies to follow, which would alleviate a major burden on companies who are currently wrestling with different state breach laws in order to stay in compliance. A 2012 whitepaper published by the Congressional Research Service found that because of the numerous state security breach notification laws, “businesses engaged in interstate commerce are confronted with compliance challenges and cite the lack of uniformity as justification for a national security breach notification standard.” Leahy’s bill attempts to solve this problem, but goes a step futher and adds a new criminal statute, 18 U.S.C. § 1041, which would read:

Whoever, having knowledge of a security breach and of the fact that notice of such security breach is required under title II of the Personal Data Privacy and Security Act of 2014, intentionally and willfully conceals the fact of such security breach, shall, in the event that such security breach results in economic harm to any individual in the amount of $1,000 or more, be fined under this tile [sic] or imprisoned for not more than 5 years, or both.

This is cause for concern.

To begin with, the language of the proposed law is quite vague. The bill’s notification requirement provides a temporal buffer for “reasonable delay.” However, the criminal statute does not seem to account for this buffer. For example, if you have knowledge of a security breach that compromised customer credit card records—a form of “sensitive personally identifiable information”—and you know that disclosure is required under Title II—and you do not meet any of Title II’s exemptions—but purposely hold off on disclosing the beach in order to, say, “determine the scope of the security breach,” are you criminally liable? You’ve “willfully and intentionally” concealed a breach that you know needs to be disclosed, so you would seem to be under this proposal. Remember, the proposed language doesn’t punish intentionally and willfully concealing the fact of a security breach in disregard of the requirements of Title II, only intentionally and willfully concealing a breach for which you know notice is required. Also, who exactly is now criminally liable? Those who know of the breach and know that notification is required could cover a lot of employees, especially if the breach is significant.

This ambiguity is a recipe for disaster.

Only after companies evolve and adapt to such a federal breach notification law should criminal liability be considered.

Irrespective of the bill’s currently language, the broader issue of whether criminal liability should be included within a data breach notification law poses a much more vexing question. Responding to breaches involves a number of moving pieces, especially when dealing with a large corporation or a potentially massive breach (Angelique Carson wrote a great piece addressing this for The Privacy Advisor). Thus, there may not necessarily be any malicious intent when “concealing” a known security breach. Assessing and eradicating malicious code or intruders, assessing the scope of the problem and determining the best method of notice, are all legitimate decisions that take time after discovery of a breach.

The former head of the cybercrime unit at Manhattan’s U.S. Attorney’s office, Joseph DeMarco, stated that “[a] breach investigation could take weeks or months before you know enough to have a legal obligation to disclose,” and that “[i]t’s a judgment call.” It’s no wonder why many security breach notification laws—including this bill—provide time for companies to evaluate the breach in more detail, even after discovery, before requiring disclosure to consumers. Now there clearly is a line that needs to be drawn for when delaying disclosure no longer benefits consumers, but add in the possibility for criminal liability and the “judgment call” DeMarco referred to may be one predicated on haste and fear. The thought of an ensuing criminal investigation for “holding off” on a required disclosure would surely dictate a company’s decision on whether or not to disclose, even if delaying disclosure would be a sensible move for both the company and consumers.

This isn’t to say that criminal liability may not at some point be a worthwhile consideration. However, the creation of a federal breach notification law would be a triumph in and of itself. Only after companies evolve and adapt to such a federal breach notification law should criminal liability be considered. Even then, there should be extensive debate on whether intentionally withholding the breach and miniscule economic harm should be all that is required to impose criminal liability. When or if that time comes, the question of criminal culpability should go beyond whether a company intentionally withheld notification and should search for the root of the malicious intent we hope to deter.

The consensus is clear that companies will benefit if they have one, distinct statute on how to notify consumers of security breaches instead of the many state laws currently in place today. If any bill currently making its way through Congress has a chance to make that a reality, the Personal Data Privacy and Security Act of 2014 would be it.

However, if such a federal breach notification law is to come to fruition, we must thoroughly discuss and debate whether it is wise to add a criminal sanction for intentionally concealing a data breach, and if so, what exactly that statute should entail. A company may have a rational reason for withholding the disclosure of a known security breach, and criminal liability may significantly distort a company’s decision making process. Adding a possible prison sentence for company employees who voluntarily delay disclosure, as Leahy’s bill proposes, could greatly hinder companies trying to effectively and accurately respond to security breaches.

Written By

Andrew Proia, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»