U.S. lawmakers plan to resurrect national data breach notification legislation that has failed to pass in past sessions of Congress, but some advocates don't agree on what should be included in a bill.
Six witnesses at a U.S. House of Representatives hearing Thursday called for a national law requiring businesses that lose data in hacker attacks to notify affected customers, but there were differences about whether the bill should preempt 48 existing state laws or should set a minimum standard that state laws can build on.
"Any federal law should not weaken strong state laws," Representative Jan Schakowsky, an Illinois Democrat, said during a hearing of the Energy and Commerce Committee's trade subcommittee. "Any federal response should establish a baseline so that every American can be assured some level of data protection, not just notification after the fact."
Others disagreed, saying a new federal law that doesn't preempt state laws would create a 49th data breach regulation for businesses to comply with. A national standard would be "particularly helpful to small business, many of whom cannot afford teams of lawyers to navigate 48 breach standards, should something bad actually happen," said Kevin Richards, senior vice president for federal government affairs at trade group TechAmerica.
The debate over whether a national law should preempt state laws -- along with debates over what types of information should be subject to breach notification rules and how long companies have before reporting the breaches -- has held up a national breach notification bill in Congress for years, with early bills introduced in the middle of the last debate. But committee members said Thursday they will renew their push for a national law.
Some witnesses and lawmakers also called on Congress to pass comprehensive cybersecurity legislation focused on preventing data breaches along with breach notification. Others suggested that Congress needs a longer debate on comprehensive legislation, while a breach notification bill could be ironed out sooner.
Congress needs to act to prevent the huge number of data breaches happening every year, said Representative Joe Barton, a Texas Republican. In the 1930s, when there was a rash of kidnapping, Congress didn't just pass a "kidnapping notification law," but it gave the U.S. Federal Bureau of Investigation authority to track kidnappers, he said.
David Thaw, a law professor focused on cybersecurity at the University of Connecticut, agreed, saying comprehensive data security regulation, combined with data breach notification rules, would be more effective in protecting consumers and businesses.
"I analogize the effects of breach notification alone to locking the bank or vault door while leaving a back window wide open," he said.
Richards called on the committee to move forward on data breach notification, saying there's some consensus developing around that legislation, but more work to do on a comprehensive bill.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is [email protected]