Congress Cybersecurity & Tech

The Health Exchange Security and Transparency Act of 2014

Paul Rosenzweig
Saturday, January 11, 2014, 5:36 PM
So ...

Published by The Lawfare Institute
in Cooperation With
Brookings

So ... what are we to make of the Health Exchange Security and Transparency Act of 2014?  As readers may be aware, the bill was proposed by the Republican majority of the House of Representatives and passed that body last week with 67 Democrat votes 291-122.   Democratic leadership opposed the bill as a subterfuge for attacking the President's health care initiative.  Republicans said it was simply a sensible response to alleged cybersecurity lapses in the development of the healthcare.gov website.  I thought it might be useful to read the actual text and see what it says. The bill is admirable in its brevity -- something unusual in this day and age.  Indeed, it's entire text (save for the title) is as follows:
Not later than two business days after the discovery of a breach of security of any system maintained by an Exchange established under section 1311 or 1321 of the Patient Protection and Affordable Care Act (42 U.S.C. 18031, 18041) which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of Health and Human Services shall provide notice of such breach to each such individual.
The text compares relatively favorably with similar State laws,  To take but one example, California law requires a business to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) Section 1798.29(a) and .82(a) are essentially identical and provide:
Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Indeed, other than the unreasonably strict 2-day requirement to provide notice (which is both overly prescriptive and, in the end, impossible to accomplish) the Federal law seems a reasonably close cognate to existing California law.  The only difference that I can perceive is that the California law applies to individuals and businesses, but not to the State government itself [query -- does anyone know of a similar law applied by the State to its own data breaches?  My quick research cannot discover such a law, but I am no California expert.  The State web site says the law applies to State agencies too, though, which makes the comparison even more apt.].  By contrast the new Federal law is self-referential. Which, I guess, is the point of the exercise.  If you think that government efforts should be subject to the same laws and limitations as those applied to its citizens, then you don't have a problem with HESTA.  If, however, you think that government activity is sui generis and that its cybersecurity needs are different from those of the private sector you might oppose the law. For myself, if someone had breached a system holding my personal data, I'd want to know about it.  It wouldn't matter to me if it was healthcare.gov; the IRS; the DC government system or Target.  Each is a threat to my personal data security.  While I'm not insensitive to the political context of the bill, on the merits I can't really see much wrong with it.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare