Could a national data breach law be just around the corner? President Obama's call for a Personal Data Notification and Protection Act during his State of the Union (SOTU) may be just the kick the 114th Congress needs to hammer out legislation by midyear.
Addressing the Federal Trade Commission (FTC), the agency that has aggressively pursued companies that it feels have not properly safeguarded customer data, a week before delivering the SOTU, the President envisioned a national law that would clarify and strengthen “the obligations companies have to notify customers when their personal information has been exposed.” A key part of that law would be “a 30-day notification requirement from the discovery of a breach.”
National data breach legislation would set a federal standard for defining the parameters of a breach and the timeframe in which companies must report a breach to law enforcement authorities and consumers. The hope among many business groups is that a national law would also preempt an unmanageable patchwork of 47 state laws and instead replace them with a uniform set of statutes that companies would have to follow.
If the national law is enacted, companies will benefit from “the certainty of a single, national standard,” the White House said.
“We support a national data breach bill so companies can respond to breaches in a consistent manner,” says Tiffany Jones, senior vice president and chief revenue officer at iSIGHT Partners, a Dallas-based security firm.
Jones (left), who has testified before Congress on the growing malware threat landscape and the need for national data breach legislation, says companies can spend millions of dollars complying with all the state laws. Tack on the cost of a breach, the cost for cleanup, lost revenue and lost market share, and Jones says there's very strong sentiment in the business community to finally get something done this year.
Lobbyists from groups such as the Direct Marketing Association and National Retail Federation would love to get a bill done this year, but they are realistic. Officials from these trade groups readily acknowledge that they've been building coalitions to support national breach legislation for nearly 10 years now, but some say following the high-profile Target, Home Depot and Sony hacks of the past year, this time could be different.
“It's become very complicated for companies to comply with all the different state laws,” says Rachel Nyswander Thomas, vice president of government affairs for the Direct Marketing Association, one of the trade groups leading the charge for national legislation for the past decade. “With all the cases of new breaches in the news, it has become clear that both consumers and businesses have become victims. Plus, companies are global let alone national.” She adds that the need for a national standard would reduce some of the complexity.
Dave Frymier, chief information security officer at Unisys Corp., a global information technology company based in Blue Bell, Penn., says the Sony hack may be a taste of what's ahead. Lost in the uproar over the release of the movie The Interview were the hacks into Sony's corporate offices and intellectual property.
“In the past we've had to worry about nation-states stealing intellectual property or organized crime groups that were in it for the money, but the Sony hack was different,” he says. “This was a case of disruption of operations for political or ideological purposes.”