Are Breach Disclosure Laws Unconstitutional in the Wake of Supreme Court Abortion Case?

Your company has suffered a data breach. The law requires you to fall on your sword, and—at considerable time and expense—provide a government-scripted breach disclosure notice to your customers, including the facts and circumstances surrounding the breach, how it happened, what data was breached and, more importantly, what you are doing about it.

Irrespective of the costs of the breach itself, the government-compelled disclosure may cost you hundreds of thousands of dollars in disclosure costs alone, not to mention the reputational and other costs associated with this compelled speech. To make matters worse, the government-ordered speech does little in and of itself to make consumers safer or better protected against hackers.

There is little if anything that the consumer can do after having been notified of a breach. Most of the remediation—issuing new credit cards and credit freezes or warnings—have likely already occurred. The government mandates that a commercial entity provide a scripted notice to third parties. Compelled commercial content-based speech.

Ordinarily, this would be just another consumer protection regulation. But the U.S. Supreme Court may have thrown a monkey wrench into this machinery in a case involving—of all things—reproductive family planning centers in California.

Licensed abortion providers are required to make certain disclosures in various states—including many that, according to doctors, are not medically accurate and are not medically indicated. The California law required licensed family planning clinics that did not provide abortion or abortion counseling to disclose where such services could be obtained and required unlicensed facilities (which often “masqueraded” as licensed clinics) to disclose the fact that they were not licensed.

While upholding the compelled disclosure laws with respect to things such as fetal heartbeat and pain, mandatory vaginal ultrasound and other procedures in the past, on June 26 the U.S. Supreme Court held that the First Amendment prevented California from compelling these clinics to make “compelled commercial speech.” Forcing a business to say something, the Court opined, restricts its rights to free speech. And it restricts the businesses right no say nothing at all.

Compelled Speech

The Supreme Court noted that courts generally look askance at laws that compel entities to speak in a particular way based on the content of that speech. By compelling individuals to speak a particular message, such laws “alte[r] the content of [the entitiy’s] speech.” As a general matter, the court noted, laws compelling speech based on content “are presumptively unconstitutional and may be justified only if the government proves that they are narrowly tailored to serve compelling state interests.”

Those are two separate tests. First, the government’s interest in forcing the entity to make the declaration must be “compelling.” Not just good policy, not just a good idea. But essentially something that is critically important for the government to do as a government, such as telling people about an epidemic or a child kidnapping. Routine, ordinary government policies and functions don’t apply—it has to be a COMPELLING state interest.

Second, the compelled disclosure has to be “narrowly tailored.” If the required speech is broader than absolutely essential to achieve the compelling interest, well, it violates the company’s First Amendment rights.

Third, the compelled disclosure must actually further the compelling interest. If it’s merely nice or helpful, that may not be enough.

Finally, the compelled disclosure generally should be the least intrusive means of fulfilling the compelling government interest. If there’s a way to achieve the same objective without compelled speech, then you have to do that. In most cases.

If we look at the Supreme Court majority decision, laws that compel commercial entities to “speak” are inherently suspect and can only survive scrutiny where they compel the entity to provide information that is both “purely factual and uncontroversial information about the terms under which … services will be available,” and are not “unjustified or unduly burdensome.” So, in that context, a lawyer who advertises that cases are accepted on a contingency basis and that the client who doesn’t win doesn’t pay can be subject to a state law that requires them to disclose the fact that the client is responsible for certain fees and expenses irrespective of the outcome of the case. But otherwise, compelled commercial speech is bad because it fails to “‘preserve an uninhibited marketplace of ideas in which truth will ultimately prevail.’”

In this context, take a look at breach disclosure laws. Most of these laws require not only disclosure of the fact of a breach, but compel specific information to be included, regardless of whether that information or the breach disclosure would ultimately be helpful to the customer. They essentially provide a government-written or government-approved script that the commercial entity must conform with. The “compelling state interest” is to keep the customer informed about the breach so that the customer can, umm … so that the customer can, umm … Oh yeah, so the customer can file a class action lawsuit against the breached entity.

I’m not sure that that is a “compelling state interest.” In fact, as applied today (and not as originally intended), breach disclosure laws actually serve the purpose of embarrassing and shaming entities that have suffered data breaches and causing them such hardship and expense so that they will attempt to prevent the breaches the next time. It’s really no longer about providing useful information to data subjects (if it ever was).

So, do statutes that compel companies to make content-based disclosures to consumers survive the Supreme Court’s decision?

Probably.

The dissenting judges in the Supreme Court’s family planning case point out that “Because much, perhaps most, human behavior takes place through speech and because much, perhaps most, law regulates that speech in terms of its content, the majority’s approach at the least threatens considerable litigation over the constitutional validity of much, perhaps most, government regulation. Virtually every disclosure law could be considered “content based,” for virtually every disclosure law requires individuals “to speak a particular message.”

While the majority exempted what it called routine safety notices from its “compelled speech” restriction (e.g.,” hot, do not touch”) it failed to recognize that most regulations either restrict or compel speech. Fraud and false advertising laws compel “honest” speech that is not misleading. SEC regulations compel financial and risk disclosures. The minority noted that there was no “reasoned basis that might help apply [the Court’s] disclaimer for distinguishing lawful from unlawful disclosures” and that the decision “invites courts around the Nation to apply an unpredictable First Amendment to ordinary social and economic regulation, striking down disclosure laws that judges may disfavor, while upholding others, all without grounding their decisions in reasoned principle.”

The data breach disclosure laws are clearly government-compelled speech. The government has a good reason for wanting companies to make such disclosures, but such reasons may not be “compelling” and the disclosure may not be the least intrusive means of achieving the government’s objectives. Under the EU’s GDPR regulations, the disclosure is made to the government privacy entity, and only where that entity believes it necessary is a public disclosure made.

In essence, the Supreme Court has found a right of commercial entities not to be required to make notifications and disclosures because they have a first amendment right not to be forced to do so. So maybe those cigarette warning labels are no longer allowed, or the McDonald’s “hot coffee may be hot” tautologies. But those are likely to be considered immediate safety warnings. Not so for breach disclosure. Perhaps the government will have to show a greater nexus between the disclosure and the harm it intends to prevent to justify its compelled speech requirement.

Ultimately, I believe these breach disclosure laws will pass constitutional muster. I believe that the “compelled disclosure” First Amendment provisions were used here to strike down a particular form of speech in a particularly highly charged political, moral, religious and ethical context that doesn’t apply to breach disclosure laws. But I also believe that a motivated and industrious lawyer could make a colorable claim that the Supreme Court just struck down breach disclosure laws. And I know many such lawyers.

Featured eBook
The Four Current Threats Enterprises Can’t Ignore

The Four Current Threats Enterprises Can’t Ignore

The changing digital landscape of data and devices is creating a perfect storm of opportunity for cybercriminals. Enterprises today are prime targets, as more users access more data using more—and more varied—devices. In particular, enterprises today must contend with issues including ransomware, IoT security flaws, DDoS attacks and managing mobile devices on the corporate network ... Read More
Security Boulevard
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 25 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 21 posts and counting.See all posts by mark