Ever since President Obama called for a national data breach notification law in his State of the Union address, there has been considerable speculation on what it might look like. This week Congress has gotten a glimpse, as representatives from tech companies, legal circles and trade associations lined up to give their input to a House subcommittee on how the legislation should shape up.
Speaking at the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade hearing, titled “What are the Elements of Sound Data Breach Legislation," Brian Dodge, executive vice president at the Retail Industry Leaders Association (RILA), called for legislation that would supersede the patchwork of 47 state laws with which companies currently must comply.
Federal legislation should include, he said, a single notification standard. That's on track with legislators who favor an overarching law, with subcommittee Chairman Rep. Michael Burgess, R-Texas, noting that "Federal legislation should include a single but flexible data security requirement.”
While a single, overriding national law is widely advocated and touted in the best interest of companies as well as consumers, Woodrow Hartzog, associate professor of law at of Samford's Cumberland School of Law and an affiliate scholar at the Center for Internet and Society at Stanford Law School, warned against abdicating state laws.
“Data breach legislation should be minimally preemptive because multiple approaches are still needed to determine the best approach to data security and breach notification,” he said.
Dodge also urged the committee to provide for a “reasonable timetable for notification that considers the practical challenges associated with a large scale notice and the investigative needs of law enforcement.”
In addition, he asked for “flexibility in the method of notification” when a business doesn't have contact information on all affected by a breach.
The law should only require notice “when there is a reasonable belief” that a breach will lead to or has led to “identify theft, economic loss or harm.” But Hartzog cautioned that notification shouldn't be predicated on showing harm, saying that “notification that in some way is dependent upon a perceived risk of harm…is a dubious and contested concept in policy and academic circles.”
While RILA's Dodge said legislation should confirm that the organization breached bears the responsibility for notification, he called for “flexibility for entities to contractually determine the notifying party.”
Like others, the RILA would like Congress to include “a precise and targeted definition of personal information” and “ensure fair, consistent and equitable enforcement” of the law. Noting that the Federal Trade Commission's robust enforcement activity has collectively created a “common law” of consent decrees that tend to signal what is expected from businesses regarding the collection, use, and protection of personal information,” Dodge called for a law that lets the commission “consistently apply enforcement of the law based on cases of actual harm.”
“Similarly, to the extent civil penalty authority is provided, this authority should be capped based on actual harm to consumers,” Dodge told legislators. “Also, any legislation should deny a private right of action as it would undermine consistent enforcement.”
While Congress's track record on pushing a national data notification law through to fruition is clearly dim and many of the same old arguments are being dragged out during this latest round of hearings, there is some evidence that this time a federal law may pass. Obama is being widely hailed for putting the White House's weight behind legislative action, if falling short in details and originality, and Burgess expressed an urgency.
“There is a limited window for us to act,” he said. “Criminal data breaches have grabbed headlines for about a decade, but a consensus solution has thus far eluded federal legislators.”