On Tuesday, the House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled "What are the Elements of Sound Data Breach Legislation?" This hearing was the first of the new Congress to focus on data breach issues and is likely an initial step towards potential enactment of federal data breach notification legislation. It is also significant that Subcommittee Chairman Michael Burgess (R-TX) chose to focus his first hearing as chairman on data breach legislation. The Subcommittee is currently seeking input from interested parties as staff develops draft legislation.
The White House recently sent its own data breach notification legislative proposal to Congress (along with other cyber, data, and privacy proposals). A bipartisan group of committee members stated today during the hearing that they were interested in working with the White House on data breach legislation.
Forty-seven states have adopted data breach laws and certain federal laws also contain notification requirements, such as Gramm-Leach-Bliley (GLBA), the Health Insurance Portability and Accountability Act (HIPPA), and Sarbanes-Oxley. Federal data breach legislation is expected to pre-empt existing state laws and establish one federal data breach notification standard. In addition, the legislation is expected to establish a federal data security standard that is technology-neutral.
Witnesses at Tuesday’s hearing included representatives from the technology industry, a data broker and marketing company, the large retailer industry, and a law professor. During the hearing today, witnesses discussed federal pre-emption, harm-based triggers for notification, potential regulation of data brokers, enforcement by the Federal Trade Commission and state attorneys general, and whether to deny private rights of action. Energy & Commerce Committee Chairman Fred Upton (R-MI) and Ranking Member Frank Pallone (D-NJ) each expressed an interest in working with the Subcommittee on data breach legislation to address this issue this year.
The Senate Homeland Security and Government Affairs Committee will hold a hearing on information sharing tomorrow at 2:30 p.m.