National Data Breach Notifications Would Replace 'Patchwork' of State Statutes

Members of a House subcommittee on Thursday heard an essentially unanimous call from a panel of witnesses for a national data-breach notification standard to replace the wide-ranging laws currently on the books in 48 states.

The disagreement, such as it was, came in the form of how such a law should be tailored, but witnesses and lawmakers alike expressed broad support for a national law to replace what Rep. Lee Terry (R-Neb.), the chairman of the Energy and Commerce Committee's subcommittee on commerce, manufacturing and trade, called the "patchwork of state and territory-specific statutes."

[Related: Navigating the Maze of Data Breach Notification Laws]

The word "patchwork" was uttered often as witnesses described the compliance burden of adhering to the notification requirements prescribed by the various states, which can include different triggers for sending out a notice of a breach, such as inconsistent definitions for personally identifiable information.

Creating Betters Risk Management Policies

"While many businesses have managed to adapt to these various laws, a properly defined data breach notification standard would go a long way to guide organizations on how to address cyber threats in their risk management policies," says Kevin Richards, senior vice president for federal government affairs with the trade group TechAmerica.

"It also would help prevent breaches and give guidance on how best to respond if an organization should fall victim to a breach caused by an attack," Richards adds. "It would be particularly helpful for smaller businesses, many of whom cannot afford teams of lawyers to navigate 48 breach standards should something bad actually happen."

[Related: Proposed EU Cyber Security Law Would Firm Up Breach Notification Rules]

TechAmerica advocates for a uniform, risk-based approach to data breach notifications that would preempt state laws. Central to that system would be a common definition of the types of data compromised--names, addresses, Social Security numbers and so on -- that would trigger the notification requirement. Richards also warned lawmakers against writing into law specific approaches to mitigating data breaches, urging that any bill be "technology neutral."

Jeff Greene, senior policy counsel for cybersecurity and identity with Symantec, offers the estimate that 93 million identities were exposed last year as a result of data breaches, while cyber crime accounted for $110 billion in consumer losses.

"The cost of these breaches is real," Greene says.

[Related: Cybersecurity Stalls in Senate, Obama Could Issue Executive Order]

Thursday's hearing was timely. That morning, reports began appearing that the hacktivist group Anonymous had accessed the email accounts of thousands of Capitol Hill staffers.

A Complex State of Notifications

Adding to the complexity of overlapping state laws is the question of applicability. Debbie Matties, vice president of privacy with CTIA, a trade group representing the wireless industry, explained how telecom providers in particular struggle with compliance when a breach occurs, which could affect subscribers on a family plan who are often in different states.

"Most data breaches impact consumers in multiple states, just like the breach that happened here in the House. And electronic data is rarely segmented by state, so under current law, the question becomes, which state law should apply? The state in which the consumer resides? The state in which the breach occurred? Or the state in which the vulnerability existed and was exploited?" Matties says.

Lawmakers considered whether a federal data-breach notification standard should come in a larger bill that would address companies' defensive data-security posture as well as the provisions stipulating how they communicate with their customers in the event of a breach.

That approach would couple the notification provision with the more contentious debate over cybersecurity legislation, which has been simmering within several committees in both chambers for several years.

Several witnesses suggested that a data-breach bill should include an exemption from any notification requirement in cases when the company had encrypted the data so that it would be unusable for the hacker.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for Follow Kenneth on Twitter @kecorb. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about government in CIO's Government Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycyber attackdata breachnational data-breach notificationManagement Topics | Governmentbusinessgovernmentdatabreachdata protectionManagement Topics

More about CTIAEUFacebookGoogleSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place