Old arguments may bog down US data breach notification legislation

Questions about preemption of state laws and when companies should report breaches come up again during a hearing

Debates around data

Debates around data

A drive in the U.S. Congress to pass a law requiring companies with data breaches to notify affected customers may get bogged down in old arguments.

Lawmakers and witnesses at a Tuesday hearing argued about whether a national data breach notification law should preempt 47 existing state laws and whether breached companies should be required to notify customers even when they determine their breaches are unlikely to cause harm.

Disagreements over those two issues have been part of the reason why Congress hasn't passed a national data breach notification law over the past decade. But the time has come for Congress to pass a national law, members of the House of Representatives Energy and Commerce Committee's commerce subcommittee said.

U.S. consumers want Congress to pass such a law, said Representative Michael Burgess, a Texas Republican and subcommittee chairman. Earlier this month, President Barack Obama called for a national law, and the committee intends to move a bipartisan bill forward, Burgess said.

Still, lawmakers will have to iron out major conflicts about the scope of a new law. Representatives of trade groups TechAmerica and the Retail Industry Leaders Association [RILA], as well as database marketing firm Acxiom, called on Congress to preempt the 47 state breach notification laws -- plus those from the District of Columbia, Guam, the Virgin Islands and Puerto Rico -- that are already on the books.

Complying with dozens of frequently changing state laws creates a "burdensome and complex compliance regime," said Elizabeth Hyman, executive vice president for public policy at TechAmerica. "A strong, single standard that applies throughout the country will ensure our consumers are safer and ensure our companies are well-informed about how to respond to the growing threat of data breaches."

A "carefully crafted federal data breach law can clear up regulatory confusion" while protecting consumers, added Brian Dodge, RILA's executive vice president for communications and strategic initiatives. Preempting state laws would "allow consumers to have a clear set of expectations" about notifications, he said.

A new national standard should not be a "48th data breach law with which retailers must comply," Dodge added.

But some Democratic subcommittee members questioned whether a national law should preempt all existing state laws. "There have been many important protections at the state level that we don't want to eliminate when we do federal legislation," said Representative Jan Schakowsky, an Illinois Democrat. "We have to be sure that we don't weaken protections that consumers expect and deserve."

If a national law preempts strong state laws, "hard won consumer protections will be lost," added Woodrow Hartzog, a law professor focused on data privacy issues at Samford University.

Dodge and Acxiom's chief privacy officer Jennifer Barrett-Glasgow also said that breached companies shouldn't be forced to notify customers if they conclude that the attack is unlikely to lead to identity theft or economic harm.

A notification law shouldn't inundate consumers with "meaningless notices when there is no risk of harm," Barrett-Glasgow said.

But Congress shouldn't leave the decision to send out notices in the hands of breached companies, Hartzog said. Consumer problems from data breaches go beyond ID theft or economic harm, to include damage to reputation or a loss of personal data that can lead to phishing attacks months later, he said. A new law should default to reporting data breaches, not to determining harm before reporting, he said.

Relying on breached companies to determine harm to customers "is a dubious proposition in several different ways," Hartzog said. "It's very difficult to draw a line of causation between a breach that occurred and likely harm that can happen sometime in the future."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags Jan SchakowskyAcxiomU.S. House of Representatives Energy and Commerce CommitteeMichael BurgessRetail Industry Leaders AssociationlegislationTechAmericaBrian DodgeElizabeth HymanSamford UniversityJennifer Barrett-Glasgowsecuritydata breachWoodrow Hartzoggovernment

More about House of RepresentativesIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts