After years of bipartisan cooperation on laws to protect consumer privacy, debates in Congress over protecting Americans’ personal information are becoming more partisan and, thus, more controversial. As a result, the outcome of future privacy legislation is less certain, making it harder for CIOs to predict what they will have to do to comply with new rules.In November, the House Energy and Commerce Committee voted along party lines to send a consumer privacy bill—the Data Accountability and Trust Act (DATA)—to the House floor. It was the first time any federal security or privacy legislation had caused such a divide, observes Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker. The bill, sponsored by Rep. Cliff Stearns (R-Fla.), would establish nationwide rules for companies when notifying customers of a data security breach that exposes their personal information such as names, addresses, credit card numbers and Social Security numbers. The Senate is considering a similar bill. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe The law would preempt existing state laws and, according to privacy experts and Democrats, would weaken them. For example, unlike California’s notification law, which requires that companies tell customers of any security breach, DATA would require notification only if company executives determine there is “a significant risk” that information has been stolen. As such, scoffs Rep. John Dingell (D-Mich.), DATA’s notification provisions are actually “no notice” provisions. Many companies, because they have customers in California, base their notification practices on the California law. Republicans say their bill will provide relief for these companies because it would cut down on notices about breaches that do not expose consumers’ data. But the bill could make work for CIOs because it requires companies that store consumers’ personal data to identify security vulnerabilities and a method to mitigate them, something state laws do not demand.Lawmakers will continue to wrangle over the measure this year. Meanwhile, Dayanim says, companies that store data from individuals from multiple states need to err on the side of caution and consider any security breach as requiring notification. Related content feature Mastercard preps for the post-quantum cybersecurity threat A cryptographically relevant quantum computer will put everyday online transactions at risk. Mastercard is preparing for such an eventuality — today. By Poornima Apte Sep 22, 2023 6 mins CIO 100 CIO 100 CIO 100 feature 9 famous analytics and AI disasters Insights from data and machine learning algorithms can be invaluable, but mistakes can cost you reputation, revenue, or even lives. These high-profile analytics and AI blunders illustrate what can go wrong. By Thor Olavsrud Sep 22, 2023 13 mins Technology Industry Generative AI Machine Learning feature Top 15 data management platforms available today Data management platforms (DMPs) help organizations collect and manage data from a wide array of sources — and are becoming increasingly important for customer-centric sales and marketing campaigns. By Peter Wayner Sep 22, 2023 10 mins Marketing Software Data Management opinion Four questions for a casino InfoSec director By Beth Kormanik Sep 21, 2023 3 mins Media and Entertainment Industry Events Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe