The Hill: Lawmakers see momentum for data breach legislation
House lawmakers in both parties at a Tuesday hearing voiced optimism that Congress could pass legislation requiring companies to notify customers about breaches of consumer data.
Efforts to pass such a bill have repeatedly stumbled, but Democrats and Republicans alike said the tide may be turning with voters increasingly focused on cybersecurity.
“I do sincerely believe that is an achievable goal,” said Rep. Michael Burgess (R-Texas), chairman of the House Subcommittee on Commerce, Manufacturing and Trade, which held the hearing. “It’s clear most of us agree on preemption.”
Lawmakers are debating legislation to require breached companies to notify customers within a set time period that their information had been exposed. It would also create nationwide data security standards for companies.
The effort to pass a federal data breach bill has received new momentum following a series of high-profile data breaches at major companies like Home Depot, Target and JPMorgan. The recent cyberattack on Sony Pictures has only brought more attention to the issue.
The White House has also pressed Congress to move on the issue. It recently released its own legislative proposal, which Sen. Bill Nelson (D-Fla.) later introduced. The bill would set a 30-day window for notification, require companies to report certain breaches to the government and empower the Federal Trade Commission to set and enforce federal data security standards.
With 47 different state-based data breach notification bills, many lawmakers and industry groups think creating one federal standard should be Congress’s top 2015 cybersecurity priority. In 2015 alone, seven states have introduced 17 bills related to this issue, said Elizabeth Hyman, executive vice president of Tech America, the public policy wing of tech trade group CompTIA.
Lawmakers must “get it right” on a data breach bill “before we try to tackle some of the other concerns,” said Rep. Fred Upton (R-Mich.), who chairs the full House Committee on Energy and Commerce.
Still, a number of questions remain.
Rep. Peter Welch (D-Vt.) ticked off a few: How many days should companies get to investigate a breach before they must notify consumers? What type of a breach should trigger a customer notification? Should all sectors be covered by a federal law? Should states retain the power to enforce data breach laws?
“These are more practical issues,” Welch said.
Lawmakers focused many of their questions on which breaches should prompt customer notifications.
Industry groups are worried a federal standard could drive over-notification, where consumers are inundated with messages that their data has been exposed.
“Industry in general is very sensitive to the over-notification problem,” said Jennifer Glasgow, chief privacy officer at data broker Acxiom.
Companies should only have to notify customers if “their information has actually been accessed and only when that information is likely to be used in a harmful manner,” Hyman said.
But Woodrow Hartzog, a data breach law expert at Cumberland School of Law, cautioned that “it can be extremely difficult to meet the burden of proof that harm is actually likely in any one instance.”
“The problem of over-notification is also one that can tend to be overinflated,” said Rep. Jan Schakowsky (D-Ill.), the subcommittee’s ranking member.