Old arguments may bog down US data breach notification legislation

Questions about preemption of state laws and when companies should report breaches come up again during a hearing

Debates around data

Debates around data

A drive in the U.S. Congress to pass a law requiring companies with data breaches to notify affected customers may get bogged down in old arguments.

Lawmakers and witnesses at a Tuesday hearing argued about whether a national data breach notification law should preempt 47 existing state laws and whether breached companies should be required to notify customers even when they determine their breaches are unlikely to cause harm.

Disagreements over those two issues have been part of the reason why Congress hasn't passed a national data breach notification law over the past decade. But the time has come for Congress to pass a national law, members of the House of Representatives Energy and Commerce Committee's commerce subcommittee said.

U.S. consumers want Congress to pass such a law, said Representative Michael Burgess, a Texas Republican and subcommittee chairman. Earlier this month, President Barack Obama called for a national law, and the committee intends to move a bipartisan bill forward, Burgess said.

Still, lawmakers will have to iron out major conflicts about the scope of a new law. Representatives of trade groups TechAmerica and the Retail Industry Leaders Association [RILA], as well as database marketing firm Acxiom, called on Congress to preempt the 47 state breach notification laws -- plus those from the District of Columbia, Guam, the Virgin Islands and Puerto Rico -- that are already on the books.

Complying with dozens of frequently changing state laws creates a "burdensome and complex compliance regime," said Elizabeth Hyman, executive vice president for public policy at TechAmerica. "A strong, single standard that applies throughout the country will ensure our consumers are safer and ensure our companies are well-informed about how to respond to the growing threat of data breaches."

A "carefully crafted federal data breach law can clear up regulatory confusion" while protecting consumers, added Brian Dodge, RILA's executive vice president for communications and strategic initiatives. Preempting state laws would "allow consumers to have a clear set of expectations" about notifications, he said.

A new national standard should not be a "48th data breach law with which retailers must comply," Dodge added.

But some Democratic subcommittee members questioned whether a national law should preempt all existing state laws. "There have been many important protections at the state level that we don't want to eliminate when we do federal legislation," said Representative Jan Schakowsky, an Illinois Democrat. "We have to be sure that we don't weaken protections that consumers expect and deserve."

If a national law preempts strong state laws, "hard won consumer protections will be lost," added Woodrow Hartzog, a law professor focused on data privacy issues at Samford University.

Dodge and Acxiom's chief privacy officer Jennifer Barrett-Glasgow also said that breached companies shouldn't be forced to notify customers if they conclude that the attack is unlikely to lead to identity theft or economic harm.

A notification law shouldn't inundate consumers with "meaningless notices when there is no risk of harm," Barrett-Glasgow said.

But Congress shouldn't leave the decision to send out notices in the hands of breached companies, Hartzog said. Consumer problems from data breaches go beyond ID theft or economic harm, to include damage to reputation or a loss of personal data that can lead to phishing attacks months later, he said. A new law should default to reporting data breaches, not to determining harm before reporting, he said.

Relying on breached companies to determine harm to customers "is a dubious proposition in several different ways," Hartzog said. "It's very difficult to draw a line of causation between a breach that occurred and likely harm that can happen sometime in the future."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentlegislationU.S. House of Representatives Energy and Commerce CommitteeTechAmericaAcxiomRetail Industry Leaders AssociationJan SchakowskyMichael BurgessElizabeth HymanJennifer Barrett-GlasgowBrian DodgeSamford UniversityWoodrow Hartzog

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender’s best-in-class security solutions have been awarded Product of the Year. Get cybersecurity that 500 MILLION users already have and trust!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?