National Data Breach Notifications Would Replace 'Patchwork' of State Statutes
Technology trade group executives make the case for a single, nationwide standard for notifying customers in the event of a breach.
Thu, July 18, 2013
CIO — Members of a House subcommittee on Thursday heard an essentially unanimous call from a panel of witnesses for a national data-breach notification standard to replace the wide-ranging laws currently on the books in 48 states.
The disagreement, such as it was, came in the form of how such a law should be tailored, but witnesses and lawmakers alike expressed broad support for a national law to replace what Rep. Lee Terry (R-Neb.), the chairman of the Energy and Commerce Committee's subcommittee on commerce, manufacturing and trade, called the "patchwork of state and territory-specific statutes."
The word "patchwork" was uttered often as witnesses described the compliance burden of adhering to the notification requirements prescribed by the various states, which can include different triggers for sending out a notice of a breach, such as inconsistent definitions for personally identifiable information.
Creating Betters Risk Management Policies
"While many businesses have managed to adapt to these various laws, a properly defined data breach notification standard would go a long way to guide organizations on how to address cyber threats in their risk management policies," says Kevin Richards, senior vice president for federal government affairs with the trade group TechAmerica.
"It also would help prevent breaches and give guidance on how best to respond if an organization should fall victim to a breach caused by an attack," Richards adds. "It would be particularly helpful for smaller businesses, many of whom cannot afford teams of lawyers to navigate 48 breach standards should something bad actually happen."
TechAmerica advocates for a uniform, risk-based approach to data breach notifications that would preempt state laws. Central to that system would be a common definition of the types of data compromised--names, addresses, Social Security numbers and so on -- that would trigger the notification requirement. Richards also warned lawmakers against writing into law specific approaches to mitigating data breaches, urging that any bill be "technology neutral."
Jeff Greene, senior policy counsel for cybersecurity and identity with Symantec, offers the estimate that 93 million identities were exposed last year as a result of data breaches, while cyber crime accounted for $110 billion in consumer losses.
"The cost of these breaches is real," Greene says.
Thursday's hearing was timely. That morning, reports began appearing that the hacktivist group Anonymous had accessed the email accounts of thousands of Capitol Hill staffers.