HR 327 Introduced – Data Breach Arbitration

Earlier this month Rep. Lieu (D,CA) introduced HR 327, the Ending Forced Arbitration for Victims of Data Breaches Act of 2019. The bill would make mandatory arbitration agreements unenforceable for ‘security breaches’.

Arbitration Agreements

Section 2 of the bill simply states that:

“An entity may not require, as part of a customer or other similar agreement, an individual to agree to submit any dispute related to a security breach, including any dispute related to identity theft, to arbitration.”

Section 3 of the bill would make any such existing provisions void.

Section 4 of the bill would make the Federal Trade Commission responsible for enforcement of these provisions. Section 5 provides for State enforcement of the provisions of the bill while allowing the FTC to intervene in any prosecution. Individuals harmed by arbitration agreements would be give authorization for private action under Section 6 of the bill with a two-year statute of limitations.

Definitions

Section 7 of the bill provides the two key definitions for the bill. The first definition is for the term ‘security breach’. This is defined as “a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in” {§7(1)(a)} the unauthorized acquisition of, or access to, sensitive personally identifiable information.

The second definition is of the term ‘sensitive personally identifiable information’. That definition is quite lengthy and encompassing.

Moving Forward

Lieu is not a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that the bill is unlikely to be considered in Committee. If the bill were considered it is very likely that there would be substantial opposition from organizations representing any number of commercial enterprises which currently rely on forced arbitration agreements.

It this bill were considered it is possible that the bill could be approved on party-line votes in the House, but it would never receive consideration in the Senate.

Commentary

I am not sure how prevalent the use of arbitration ‘agreements’ is in contracts for industrial control system installations or components, but I suspect that they would be fairly common. This bill would not address those agreements except for the very narrow area of the protection of personally identifiable information.

Crafting effective language to include security breaches of control systems is going to be interesting. Part of the problem would be defining what constitutes a breach of a control system. The relatively easy part would be defining situations where there was a loss of control or loss of view of the process. The more difficult part would be defining situations leading to the loss of proprietary process data or design.

While this bill is unlikely to go anywhere (unless Lieu signs up cosponsors who are more influential on the Energy and Commerce Committee), it is probably a good idea for the industry to start to look as this as an area where we are probably going to see future legislation that does address control system security breaches and has a better chance of passing.