WASHINGTON, DC - The Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Lee Terry (R-NE), today held a hearing on “Reporting Data Breaches: Is Federal Legislation Needed to Protect Consumers?" The hearing allowed members to explore data breach trends occurring within the United States and whether federal legislation is needed to protect consumers. Currently, at least 48 states and U.S. territories have laws on the books requiring notification after some types of data breach. The cost of complying with this patchwork of laws is estimated at more than $100 billion.
“Consumers should have the peace of mind that their data is protected in a responsible way. But with all types of nefarious activities online, cyber criminals are finding new ways to steal data," said Terry. “So in the event that our personal data becomes exposed, we need to be able to trust that the companies in possession of our data will notify us of the exposure. And certainly it is in those companies’ best interest to notify promptly and clearly in order to preserve a trusting relationship with consumers. Given these considerations, the question before us is: What are the rules of the road for companies that experience a breach in their data stores?… Currently, the laws that govern data breach notification are a patchwork of state and territory-specific statutes. Unfortunately, they tend to differ from each other in many ways."
While most states have their own breach notification laws, no federal notification regime currently exists. The existing state and territory patchwork of breach notification laws creates an environment in which companies who suffer a breach must then wade quickly through dozens of different definitions of personal information, event triggers, and notification timeframes to determine how to proceed.
Kevin M. Richards, Senior Vice President of Federal Government Affairs for TechAmerica, described the case for federal legislation. “The question the committee is addressing today, whether federal legislation is necessary to protect consumers, is the right question to ask. State laws often vary needlessly and in some cases don’t make sense. Therefore, we do believe that federal legislation is, in fact necessary." He also noted, however, that some companies “are not experiencing difficulties in complying with the various state data breach notification laws and for these firms a law that codifies one federal set of regulations and pre-empts state laws would be helpful, but not vital." He went on to add that “notifying and empowering consumers with information about data breaches and the steps they can and should take to protect themselves in the event of a data breach… has likely mitigated the potential harm to consumers that may occur as a result of a data breach."
Debbie Matties, Vice President of Privacy with CTIA - The Wireless Association, explained the difficulty in complying with conflicting state requirements, stating, “For example, some states require breach notifications to occur ‘without unreasonable delay,’ whereas other states require specific timeframes for notification. Some states provide an exemption from breach notification for immaterial breaches, whereas other states do not. Most states provide an exemption from breach notification if consumers’ information is encrypted, but other states do not."
Highlighting the cost on small businesses to comply with the existing patchwork of laws, Dan Liutikas, Chief Legal Officer with CompTIA, noted, “These compliance obligations are particularly burdensome, however, for the small to medium size business. For example, many of CompTIA’s members are comprised of just a couple of employees with very specific IT skills and core competencies. … An annual report by the Ponemon Institute (and sponsored by Symantec) found that the organizational cost for a data breach event is on average $5.4 million and the cost to an organization for a single breached record is on average $188. Many of the costs associated with data breaches results from legal and regulatory liabilities."
Chairman Terry welcomed the discussion on a federal notification law but also warned against complex and costly new requirements that could further burden job creators, stating, “We must remember that where a breach in data is intentional-for example, if it is done by a ‘hacktivist,’ a foreign agent, or a run-of-the-mill criminal-the company holding the data is also a victim. Burdening these entities with overly complicated notification rules is not a solution to the harms that result from the exposure of personal information."
