Is it time for a national data breach notification law?
Federal lawmakers are again considering legislation that would create nationwide rules for notifying potential victims of identify theft when organizations improperly expose their sensitive information.
The Senate Judiciary Committee approved two bills this month that would impose data breach notification requirements on businesses, and a bill with notification requirements is making its way through the House.
It’s not the first time lawmakers have pushed for such federal requirements. However, previous efforts stalled in the legislative process. In the absence of federal requirements, most states have promulgated their own laws, creating a complicated legal patchwork.
Gail Hillebrand, senior attorney at the West Coast Office of Consumers Union, a nonprofit organization that publishes Consumer Reports, said some states have requirements that are more stringent than the ones that Congress is proposing. Hillebrand said consumers are already receiving proper notifications from businesses and that companies tend to follow the requirements of the state with the highest standards when there is a breach that affects people nationwide.
She said it was a positive sign that the bill proposed by Sen. Patrick Leahy (D-Vt.) dealt with data brokers, or businesses that get paid for collecting, transmitting or providing sensitive personal data.
Hillebrand said her group supports both bills that recently made it through the Senate Judiciary Committee and supports the notice of breach approach in the House bill. However, for the House measure, the group has concerns about the scope of the pre-emption of state laws that address data safeguards.
Meanwhile, Enrique Salem, CEO of Symantec, said in an e-mail that the Leahy bill was “a major step forward towards enacting a comprehensive, uniform national framework to better prevent breaches of sensitive consumer information as well as setting a clear standard for effective notification should a breach occur.” Salem said Symantec believes the United States urgently needs to pass a national data breach law.
Ben Bain is a reporter for Federal Computer Week.