Federal legislation to require reporting of a data breach within 30 days has passed its first milestone on the way to becoming law, but not everyone is happy with the details, The Hill reported on Thursday (March 26).
The Data Security and Breach Notification Act of 2015, which was sponsored by Republican Rep. Marsha Blackburn and Democrat Peter Welch, was approved by the House Energy and Commerce Subcommittee on Trade, and will now head to the full Energy and Commerce committee with amendments.
The current version of the bill requires that a business inform customers within 30 days if their data might have been stolen during a breach. The clock starts after the business has discovered the breach and conducted a good-faith investigation to determine if there’s a reasonable risk of identity theft, financial fraud or economic loss or harm, and restored the security of the breached systems.
In addition, the amended bill would require breached third-party vendors to notify affected consumers on the same schedule.
But the bill also preempts state notification and security requirements, many of them conflicting. Opponents of previous breach bills have fought for a single national standard both for notifications and security requirements. The new legislation bumps out specific requirements that exist in 47 states in favor of maintaining “reasonable security measures and practices.”
The bill replaces the state requirements “with an unclear standard that surely will be litigated and left to judicial interpretation,” Democratic Rep. Frank Pallone complained, according to Bank Info Security.
However, in practice, every major breach eventually ends up in court, and even detailed security requirements like the Payment Card Industry Data Security Standards don’t guarantee a business won’t be breached. (The clearest standard for acceptable security is still “if they got in, the security wasn’t good enough.”)
The bill would make enforcement of the breach notifications the job of the Federal Trade Commission, with violations subject to a fine of up to $2.5 million, and require the FTC to launch an educational program and website about data security aimed at small businesses.