Old arguments may bog down US data breach notification legislation

Questions about preemption of state laws and when companies should report breaches come up again during a hearing

Debates around data

Debates around data

A drive in the U.S. Congress to pass a law requiring companies with data breaches to notify affected customers may get bogged down in old arguments.

Lawmakers and witnesses at a Tuesday hearing argued about whether a national data breach notification law should preempt 47 existing state laws and whether breached companies should be required to notify customers even when they determine their breaches are unlikely to cause harm.

Disagreements over those two issues have been part of the reason why Congress hasn't passed a national data breach notification law over the past decade. But the time has come for Congress to pass a national law, members of the House of Representatives Energy and Commerce Committee's commerce subcommittee said.

U.S. consumers want Congress to pass such a law, said Representative Michael Burgess, a Texas Republican and subcommittee chairman. Earlier this month, President Barack Obama called for a national law, and the committee intends to move a bipartisan bill forward, Burgess said.

Still, lawmakers will have to iron out major conflicts about the scope of a new law. Representatives of trade groups TechAmerica and the Retail Industry Leaders Association [RILA], as well as database marketing firm Acxiom, called on Congress to preempt the 47 state breach notification laws -- plus those from the District of Columbia, Guam, the Virgin Islands and Puerto Rico -- that are already on the books.

Complying with dozens of frequently changing state laws creates a "burdensome and complex compliance regime," said Elizabeth Hyman, executive vice president for public policy at TechAmerica. "A strong, single standard that applies throughout the country will ensure our consumers are safer and ensure our companies are well-informed about how to respond to the growing threat of data breaches."

A "carefully crafted federal data breach law can clear up regulatory confusion" while protecting consumers, added Brian Dodge, RILA's executive vice president for communications and strategic initiatives. Preempting state laws would "allow consumers to have a clear set of expectations" about notifications, he said.

A new national standard should not be a "48th data breach law with which retailers must comply," Dodge added.

But some Democratic subcommittee members questioned whether a national law should preempt all existing state laws. "There have been many important protections at the state level that we don't want to eliminate when we do federal legislation," said Representative Jan Schakowsky, an Illinois Democrat. "We have to be sure that we don't weaken protections that consumers expect and deserve."

If a national law preempts strong state laws, "hard won consumer protections will be lost," added Woodrow Hartzog, a law professor focused on data privacy issues at Samford University.

Dodge and Acxiom's chief privacy officer Jennifer Barrett-Glasgow also said that breached companies shouldn't be forced to notify customers if they conclude that the attack is unlikely to lead to identity theft or economic harm.

A notification law shouldn't inundate consumers with "meaningless notices when there is no risk of harm," Barrett-Glasgow said.

But Congress shouldn't leave the decision to send out notices in the hands of breached companies, Hartzog said. Consumer problems from data breaches go beyond ID theft or economic harm, to include damage to reputation or a loss of personal data that can lead to phishing attacks months later, he said. A new law should default to reporting data breaches, not to determining harm before reporting, he said.

Relying on breached companies to determine harm to customers "is a dubious proposition in several different ways," Hartzog said. "It's very difficult to draw a line of causation between a breach that occurred and likely harm that can happen sometime in the future."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Jan SchakowskyAcxiomU.S. House of Representatives Energy and Commerce CommitteeMichael BurgessRetail Industry Leaders AssociationlegislationTechAmericaBrian DodgeElizabeth HymanSamford UniversityJennifer Barrett-Glasgowsecuritydata breachWoodrow Hartzoggovernment

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?