Two committees will be holding hearings this week, but the fate of legislation aimed at boosting the federal role in combatting data breaches remains uncertain.
Committees in both houses of Congress are holding hearings this week on the recent spate of consumer data breaches, and legislative proposals being discussed would bring more business data under the jurisdiction of federal rules.
The scope of the breaches, with as many as 110 million Target customer records and more than 1 million credit card files at Nieman Marcus, is generating significant activity among legislators and regulators. But it remains to be seen how much appetite exists in Congress to increase the scope of the federal rules governing data containing personally identifiable information.
The Senate Judiciary Committee and the Cybersecurity Subcommittee of the House Homeland Security Committee are hosting nearly identical panels of witnesses at hearings on Feb. 5 and Feb. 6, respectively, with representatives of Target and Nieman Marcus, law enforcement agencies, regulators and private-sector security experts set to testify.
The breaches under discussion are squarely in the private sector. Data-breach notification has heretofore not been a federal responsibility, with most states having their own rules. California's is generally considered the strictest, and was recently updated to require reporting of breaches that include disclosure of usernames and passwords, in addition to Social Security numbers and financial information.
Congress has grappled with the issue in the past, but efforts to pass legislation have foundered on whether to give the federal government authority to require companies to comply with data-protection standards.
"Interest is higher than it ever has been before. If Congress can't do it under these circumstances, then we're really missing a good window of opportunity," said Chablinsky, who termed federal notification proposals non-controversial.
A few bills introduced in the wake of the Target breach look to establish reporting requirements and set data protection standards.
The Data Security and Breach Notification Act, from Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.) and Commerce Chairman Jay Rockefeller (D-W.Va.), would put the Federal Trade Commission in charge of developing standards for protecting stored consumer data. The bill would also establish an office inside the Department of Homeland Security where companies with compromised databases would be required to report breaches.
Another Senate bill, from Judiciary Chairman Pat Leahy (D-Vt.), would require companies with records on more than 10,000 individuals to comply with a set of data privacy protection standards developed by the FTC. Leahy’s bill also would increase criminal penalties for data thieves.
Both bills would consolidate reporting of data breaches inside government, by an entity at DHS. This could give law enforcement a bird's-eye view of attempts at cyber-penetration that is currently lacking.