Old arguments may bog down US data breach notification legislation

Questions about preemption of state laws and when companies should report breaches come up again during a hearing

Debates around data

Debates around data

A drive in the U.S. Congress to pass a law requiring companies with data breaches to notify affected customers may get bogged down in old arguments.

Lawmakers and witnesses at a Tuesday hearing argued about whether a national data breach notification law should preempt 47 existing state laws and whether breached companies should be required to notify customers even when they determine their breaches are unlikely to cause harm.

Disagreements over those two issues have been part of the reason why Congress hasn't passed a national data breach notification law over the past decade. But the time has come for Congress to pass a national law, members of the House of Representatives Energy and Commerce Committee's commerce subcommittee said.

U.S. consumers want Congress to pass such a law, said Representative Michael Burgess, a Texas Republican and subcommittee chairman. Earlier this month, President Barack Obama called for a national law, and the committee intends to move a bipartisan bill forward, Burgess said.

Still, lawmakers will have to iron out major conflicts about the scope of a new law. Representatives of trade groups TechAmerica and the Retail Industry Leaders Association [RILA], as well as database marketing firm Acxiom, called on Congress to preempt the 47 state breach notification laws -- plus those from the District of Columbia, Guam, the Virgin Islands and Puerto Rico -- that are already on the books.

Complying with dozens of frequently changing state laws creates a "burdensome and complex compliance regime," said Elizabeth Hyman, executive vice president for public policy at TechAmerica. "A strong, single standard that applies throughout the country will ensure our consumers are safer and ensure our companies are well-informed about how to respond to the growing threat of data breaches."

A "carefully crafted federal data breach law can clear up regulatory confusion" while protecting consumers, added Brian Dodge, RILA's executive vice president for communications and strategic initiatives. Preempting state laws would "allow consumers to have a clear set of expectations" about notifications, he said.

A new national standard should not be a "48th data breach law with which retailers must comply," Dodge added.

But some Democratic subcommittee members questioned whether a national law should preempt all existing state laws. "There have been many important protections at the state level that we don't want to eliminate when we do federal legislation," said Representative Jan Schakowsky, an Illinois Democrat. "We have to be sure that we don't weaken protections that consumers expect and deserve."

If a national law preempts strong state laws, "hard won consumer protections will be lost," added Woodrow Hartzog, a law professor focused on data privacy issues at Samford University.

Dodge and Acxiom's chief privacy officer Jennifer Barrett-Glasgow also said that breached companies shouldn't be forced to notify customers if they conclude that the attack is unlikely to lead to identity theft or economic harm.

A notification law shouldn't inundate consumers with "meaningless notices when there is no risk of harm," Barrett-Glasgow said.

But Congress shouldn't leave the decision to send out notices in the hands of breached companies, Hartzog said. Consumer problems from data breaches go beyond ID theft or economic harm, to include damage to reputation or a loss of personal data that can lead to phishing attacks months later, he said. A new law should default to reporting data breaches, not to determining harm before reporting, he said.

Relying on breached companies to determine harm to customers "is a dubious proposition in several different ways," Hartzog said. "It's very difficult to draw a line of causation between a breach that occurred and likely harm that can happen sometime in the future."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Jan SchakowskyAcxiomU.S. House of Representatives Energy and Commerce CommitteeMichael BurgessRetail Industry Leaders AssociationlegislationTechAmericaBrian DodgeElizabeth HymanSamford UniversityJennifer Barrett-Glasgowsecuritydata breachWoodrow Hartzoggovernment

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?