Could this be the year for data-breach legislation?
Widespread support exists for creating a national data-breach reporting standard, but details remain to be ironed out.
From Sony to Home Depot to Target, it seems like there's always a fresh corporate data breach in the news. After every big hack, there's a call for new legislation creating a national standard for notification so consumers will know when their personal information is compromised. President Barack Obama called for a single standard in a speech at the Federal Trade Commission made a week before the State of the Union address.
For Republicans in Congress looking for areas of bipartisan cooperation, data-breach notification could prove to be low-hanging fruit. There is widespread support for creating a national standard as an alternative to the 47 state laws that currently govern data breaches, although there are some key details to be ironed out.
"A single requirement across the states would give companies some confidence that their methods are sound in handling electronic data, an inherently interstate activity," Texas GOP Rep. Michael Burgess, chairman of the Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee, said at a Jan. 27 hearing.
The basics of such legislation would include a uniform standard for a definition of what constitutes a breach, whether a breach has the potential to cause harm, and a minimum time period before consumers are notified. Then there are the more controversial questions of whether companies that notify consumers about data breaches would be indemnified against lawsuits and whether a federal standard would preempt state laws or simply augment them..
If Congress does get into the data-breach business, some federal agency would be tasked with oversight of the policy. The Federal Trade Commission has put down a marker as a regulator for minimum standards of data protection. In 2012, the FTC sued Wyndham Hotels and Resorts over a data breach, arguing that the company had failed to take adequate steps to protect customer data. That suit is working its way through appeals, but so far the FTC's jurisdiction over data breaches as a consumer protection matter has been upheld. FTC attorney Leslie Fair wrote in a blog post that so far the agency has settled 53 cases and that the number would "likely go up." An Obama administration proposal taps the FTC to write rules and supply definitions covering data-breach reporting.
Industry is looking for more clarity from a single federal standard, according to witnesses representing retailers and data brokers. Part of that is because while a handful of states have relatively minimal or no data-breach reporting requirements, others -- including California and Connecticut -- demand that their residents be notified within five days of a hack. As a practical matter, national firms often adopt the most stringent state standard as a baseline for doing business, a fact not lost on those Democrats who seek tougher federal rules.
"While I clearly believe the federal government should have a role in data breach ... I also believe that there have been many important protections that are at the state level that we don't want to eliminate when we do federal legislation," said Illinois Rep. Jan Schakowsky, the subcommittee’s ranking Democrat.
While some Democrats on the panel cautioned against preemption, Rep. Peter Welch (D-Vt.) said he's, "been persuaded that if we can get the right standard, this is one of those situations where it really makes sense to have preemption." Welch is working on a bill with Rep. Marsha Blackburn (R-Tenn.), vice-chairman of the full Energy and Commerce Committee. The Obama proposal sets a single 30-day national standard for notification that would supersede state law.