WASHINGTON, DC - The Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael C. Burgess, M.D. (R-TX), today held a hearing to discuss the need for federal data breach legislation and what that legislation should look like.
“Increasingly, our personal details-which we need to verify financial transactions-are converted into data and uploaded to networks of servers that can’t be protected with a simple lock and key," said Chairman Burgess.
Stakeholders and members examined what elements should be included in data breach legislation and noted the particular importance of federal preemption.
“A single requirement across the states would give companies some confidence that their methods are sound in handling electronic data, an inherently interstate activity. Moreover, it would put all companies on notice that if you fail to keep up with other companies and if you aren’t learning from other breaches, you will be subject to federal enforcement," continued Burgess.
Brian Dodge, testifying for the Retail Industry Leaders Association, described the difficulty retailers currently face in complying with a complex system of duplicative and sometimes conflicting state laws. “RILA supports federal data breach notification legislation that is practical, proportional and sets a single national standard that replaces the often incongruous and confusing patchwork of state laws in place today. A single, clear, preemptive federal standard will help ensure that customers receive timely and accurate information following a breach," said Dodge.
Elizabeth Hyman, Executive Vice President of Public Policy for Tech America, echoed the need for a strong national standard. “With the increasingly mobile and decentralized nature of our economy and data storage and dissemination technologies, most companies are under the umbrella of multiple state laws at all times. This patchwork of state data breach notification laws creates significant compliance costs since no two state data breach laws are exactly the same," said Hyman. “Any federal data breach notification law must preempt state laws and requirements. Without strong preemption language, the entire basis for enacting a federal data breach notification standard disappears."
Jennifer Glasgow, Chief Privacy Officer at Acxiom Corporation, added, “From the consumer’s perspective, a single federal standard not only increases their confidence in the safeguards protecting information businesses hold, but also makes notice procedures in the event of a breach clearer."
The panel discussed other components of a bill such as the timing required for a notification standard and the trigger for enforcement.
“No committee is more aware than this one about how central the online economy is to our future. A data breach bill is the first step to securing that future," concluded full committee Chairman Fred Upton (R-MI).
