Legislators held a hearing on the Personal Data Notification & Protection Act to consider one of the privacy bills recently proposed by President Barack Obama.
Last month, the President paid a visit to the Federal Trade Commission and announced several pieces of legislation touching on privacy, data security, and data breach notification.
The President’s Personal Data Notification & Protection Act would establish nationwide, uniform consumer data breach notification rules in lieu of the current patchwork of 47 different state laws. The law would also beef up criminal penalties for hackers and require that companies notify consumers of a breach within 30 days.
Using the bill as a reference point, industry members testified before the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade on “What Are the Elements of Sound Data Breach Legislation?”
The majority of the speakers agreed that the creation of a uniform standard would benefit companies facing the challenges of compliance with different state laws. “States are constantly changing and updating their laws,” explained TechAmerica executive vice president Elizabeth Hyman. Samford University’s Cumberland School of Law professor Woodrow Hartzog disagreed, however, telling lawmakers that the federal law should simply be a floor allowing more protective state laws to reach the ceiling. “Limited-scale preemption is okay; it’s not an all-or-nothing game,” he said.
Witnesses also debated issues like which entity should be responsible for the notification (the organization that suffered a breach or the consumer-facing business?) and the time period for notification (once the breach has been confirmed or after giving law enforcement time to investigate?).
Other speakers voiced support for a harm-based trigger to notify consumers. Brian Dodge, executive vice president of the Retail Industry Leaders Association, said the standard should be economic harm, a view shared by Hyman and Acxiom’s chief privacy officer Jennifer Barrett Glasgow. Hartzog again took a contrary position “because the concept of harm within privacy law is so contested,” and it can be difficult to connect causation to harm in data breach cases.
Concerns about the dangers of over notification were also voiced. Some speakers testified that the more data breach notices they receive, the more consumers will tune them out.
To watch the subcommittee hearing, click here.
Why it matters: The future of data breach notification legislation remains uncertain, but the issue is top of mind in the nation’s capital. Legislators are tackling issues like privacy and cybersecurity in a variety of forms. In addition to the hearing, Reps. Bobby Rush (D-Ill.) and Joe Barton (R-Texas) reintroduced the Data Accountability and Trust Act this week. The bill would require the FTC to establish a nationwide data security standard, to mandate that the agency and consumers be notified of a data breach, and to create civil penalties of up to $5 million for failure to adhere with the standards.