Congressional lawmakers from both parties said they were optimistic that they can pass federal data-breach notification legislation after a hearing on Tuesday (Jam. 27), The Hill reported.
“I do sincerely believe that is an achievable goal,” said Rep. Michael Burgess (R-Texas), who chairs the House Subcommittee on Commerce, Manufacturing and Trade, which held the hearing. “It’s clear most of us agree on preemption.” A federal law could preempt the 47 different state breach notification laws that retailers, processors and banks currently have to deal with.
Lawmakers are debating bills that would set the time limits to notify customers after their information had been exposed, and create nationwide data security standards. The White House has released its own legislative proposal, which would set a 30-day window for notification, require companies to report certain breaches to the government and put the Federal Trade Commission in charge of enforcing data security standards.
While major cyberattacks on Target, Home Depot, JPMorgan Chase and Sony Pictures have brought more attention to the issue, questions remain about the practical details of breach notification, said Rep. Peter Welch (D-Vt.), including how much time a company should get to investigate a breach before notifying consumers, what type of breaches should trigger customer notification, whether all sectors should be covered by a federal law, and whether states should retain some power to enforce data breach laws.
Retailers, banks and tech companies have competing priorities for where those lines should be drawn.
The National Retail Federation, in a letter to the subcommittee before the hearing, called for a single national standard that would cover all entities that receive, handle and maintain sensitive personal information.
The Retail Industry Leaders Association, which testified at Tuesday’s hearing, said it would push for flexibility in the method of notification and to ensure notice is required only when there is reasonable belief a breach will cause harm, along with a precise definition of personal information covered by any new law.
Elizabeth Hyman, executive vice president of Tech America, the public policy wing of tech trade group CompTIA, also argued that companies should only have to notify customers if “their information has actually been accessed and only when that information is likely to be used in a harmful manner.”