Industry groups, Federal Trade Commission Commissioner Julie Brill, and Attorney General Eric Holder agree on at least one thing: the time has come for data security legislation.
Speaking at Princeton University, Brill referenced high-profile data breaches like the tens of millions of Target customers whose credit card information was hacked. “I think it is increasingly clear that the United States needs data security legislation,” she said.
The call for lawmakers to address data security was just one of three areas of legislation Brill advocated for in her “Big Data and Consumer Privacy: Addressing Challenges and Finding Solutions” address. She also called on Congress to enact bills regulating data brokers and establish “baseline” privacy rights for consumers.
Brill – who characterized herself as a “lifelong consumer protection advocate” – was joined in her support for data breach legislation by Attorney General Eric Holder, who expressed his views in a recent video address.
Also citing the Target incident, Holder said it “is time for leaders in Washington to provide the tools that we need to do even more by requiring businesses to notify American consumers and law enforcement in the wake of significant data breaches.” Holder said a “strong, national standard” could empower consumers to protect themselves and enable law enforcement efforts to track down hackers.
In addition, the legislation should “hold compromised entities accountable when they fail to keep sensitive information safe,” although it should also provide “reasonable exemptions for harmless breaches to avoid placing unnecessary burdens on businesses that do act responsibly,” Holder added.
The Direct Marketing Association and data broker Acxiom echoed the sentiment.
“The DMA aims to preserve the benefits of data-driven marketing by asking Congress to focus its legislative efforts on passing a national breach notification law that would preempt state laws,” senior vice president for government affairs Peggy Renken Hudson wrote in a letter to Congress last month. “The current state of affairs is that there are more than 47 state laws that may apply depending on the state in which a consumer lives. This patchwork of laws is unwieldy, inefficient, and confusing. Businesses and consumers will be better served with a single, cohesive, transparent federal law.”
Jennifer Barret-Glasgow, the chief privacy officer at Acxiom, said the company has backed legislation for the last decade. “There have been several bills introduced in this time frame, but none have passed, mainly because there were other provisions included in these bills that were not related to breaches and were controversial,” she told Ad Age. “We are hopeful that this year we may finally get a strong and workable national standard.”
At least four bills have already been proposed in the Senate this legislative term. Sen. Patrick Leahy (D-Vt.) introduced the Personal Data Privacy and Security Act, while Sens. Dianne Feinstein (D-Calif.), John Rockefeller (D-W.Va.), Mark Pryor (D-Ark.), and Bill Nelson (D-Fla.) sponsored the Data Security and Breach Notification Act.
Sens. Roy Blunt (R-Mo.) and Tom Carper (D-Del.) reintroduced their Data Security Act and Sens. Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) got in on the action with the Personal Data Protection and Breach Accountability Act.
To read the full text of Commissioner Brill’s remarks, click here.
To watch AG Holder’s video, click here.
To read the DMA’s letter, click here.
Why it matters: The scope of the Target security lapse (currently estimated to impact at least 110 million customers) combined with other high-profile incidents such as the holiday breach at Neiman Marcus and the recent revelation of a security gap in Apple software have yielded strong support for national data security legislation from industry, regulators, and law enforcement. It remains to be seen whether that support will translate into legislative action and the enactment of a data security law.