Congress showed momentum on constructing a national data breach notification law this week by holding a hearing to determine what form such a law should take and the industries that should be subject to it.
Speakers at the hearing generally agreed that consumers should be notified if their personally identifiable information has been exposed or lost, within a reasonable time frame. A few speakers also expressed strong support for federal preemption of existing state laws.
Rep. Michael Burgess, chairman of the U.S. House of Representatives Subcommittee on Commerce, Manufacturing, and Trade, advocated an overarching federal standard for businesses to follow, but advised against trying to mandate any additional standards for the healthcare and financial sectors.
“A single requirement across the states would give companies some confidence that their methods are sound in handling electronic data, an inherently interstate activity,” stated Rep. Burgess. “Moreover, it would put all companies on notice that if you fail to keep up with other companies and if you aren’t learning from other breaches, you will be subject to federal enforcement. Indeed, too many resources are spent trying to understand the legal obligations involved with data security and breach notification. Certainty would allow those resources to be spent on actual security measures and notifications to affected consumers.”
Energy and Commerce Committee Chairman Rep. Fred Upton joined Burgess in calling for a single standard, commenting, “The trade-off is that it has to be a strong, consumer-friendly law – one that has real protections and real enforcement. Both the FTC and state AGs have shown that this is an area that they would police very effectively. Our role is to strike the right balance on when notification is required, how timely it needs to be, and what information leads to identity theft.”
He added, “Setting a national standard benefits consumers by ensuring that every business must look at their activities and make sure they are taking reasonable security measures. A national standard allows businesses to focus on securing information and systems instead of trying to figure out how to comply with a host of different state laws with teams of lawyers. Consumers benefit from consistency in security and breach notification no matter what state they live in.”
However, the question for lawmakers quickly became, over the course of the hearing, how to approach an existing framework of varied state laws for data breach notifications. From the perspective of the Retail Industry Leaders Association (RILA), Congress should opt for a federal standard to replace the “the often incongruous and confusing patchwork of state laws in place today.” RILA representative Brian Dodge also cited the FTC’s regulatory attention to data breaches in recent years.
“For companies operating across many jurisdictions, this fact dependent analysis must occur simultaneously, rapidly, and accurately,” he said. “Retailers face a significant regulatory burden to comply with the vast number and variety of these breach notice laws.”
Jennifer Barrett Glasgow, chief privacy officer for Axciom, a marketing data firm, spoke before the Committee, warning against overburdening consumers with notifications unless there is truly a danger of their personal data being misused.
“There is indeed a danger of over-notification – that consumers will not pay attention to a notice that matters because they have previously received notices under circumstances where they were not at risk. Therefore, Acxiom supports a harm-based trigger for notification,” she said.
Not all those testifying felt Congress should entirely replace the work states have done on data breaches. Woodrow Hartzog, a law professor at Samford University’s Cumberland School of Law, warned against undoing many of the strong consumer protection provisions enabled by states.
“Multiple regulatory bodies are still needed to protect our personal information in order to ensure the adequate resources and experimentation necessary to respond to constantly evolving threats and new revelations about our vulnerability,” said Hartzog. “Additionally, preemption threatens to water down some of the important existing robust data breach protections. There is a real risk that preemptive federal legislation would do more harm than good. Our critical data protection infrastructure will be weakened if federal legislation scales back protection, consolidates regulatory authority, and sets specific rules in stone. Data breach law must offer robust protection and be able to evolve quickly.”