Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Old arguments may bog down US data breach notification legislation

Grant Gross | Jan. 28, 2015
A drive in the U.S. Congress to pass a law requiring companies with data breaches to notify affected customers may get bogged down in old arguments.

A drive in the U.S. Congress to pass a law requiring companies with data breaches to notify affected customers may get bogged down in old arguments.

Lawmakers and witnesses at a Tuesday hearing argued about whether a national data breach notification law should preempt 47 existing state laws and whether breached companies should be required to notify customers even when they determine their breaches are unlikely to cause harm.

Disagreements over those two issues have been part of the reason why Congress hasn't passed a national data breach notification law over the past decade. But the time has come for Congress to pass a national law, members of the House of Representatives Energy and Commerce Committee's commerce subcommittee said.

U.S. consumers want Congress to pass such a law, said Representative Michael Burgess, a Texas Republican and subcommittee chairman. Earlier this month, President Barack Obama called for a national law, and the committee intends to move a bipartisan bill forward, Burgess said.

Still, lawmakers will have to iron out major conflicts about the scope of a new law. Representatives of trade groups TechAmerica and the Retail Industry Leaders Association [RILA], as well as database marketing firm Acxiom, called on Congress to preempt the 47 state breach notification laws — plus those from the District of Columbia, Guam, the Virgin Islands and Puerto Rico — that are already on the books.

Complying with dozens of frequently changing state laws creates a "burdensome and complex compliance regime," said Elizabeth Hyman, executive vice president for public policy at TechAmerica. "A strong, single standard that applies throughout the country will ensure our consumers are safer and ensure our companies are well-informed about how to respond to the growing threat of data breaches."

A "carefully crafted federal data breach law can clear up regulatory confusion" while protecting consumers, added Brian Dodge, RILA's executive vice president for communications and strategic initiatives. Preempting state laws would "allow consumers to have a clear set of expectations" about notifications, he said.

A new national standard should not be a "48th data breach law with which retailers must comply," Dodge added.

But some Democratic subcommittee members questioned whether a national law should preempt all existing state laws. "There have been many important protections at the state level that we don't want to eliminate when we do federal legislation," said Representative Jan Schakowsky, an Illinois Democrat. "We have to be sure that we don't weaken protections that consumers expect and deserve."

If a national law preempts strong state laws, "hard won consumer protections will be lost," added Woodrow Hartzog, a law professor focused on data privacy issues at Samford University.

Dodge and Acxiom's chief privacy officer Jennifer Barrett-Glasgow also said that breached companies shouldn't be forced to notify customers if they conclude that the attack is unlikely to lead to identity theft or economic harm.

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.