This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.

Committee members primarily debated the following questions and concerns:

Covered Entities & Sectors

  • How broadly should a federal data security law reach, and what entities and sectors should be covered?
  • Should sector-specific data breach notification laws, such as those applying to financial and health information, be handled separately under specific regulations?

State Preemption

  • Should a federal data breach rule override state breach-notification laws?
  • Should a federal law weaken the enforcement authority of state attorneys general, or can federal and state enforcement authorities have parallel jurisdiction?

Notification Requirements

  • Which types of breaches should prompt notification?
  • Would a notification obligation based on consumer harm be problematic given the difficulty of proving actual harm?
  • How many days should companies be allowed to investigate a breach before notifying consumers?
  • How can the regulatory approach guard against over-notification?

In addition to Congress’ steady focus on the topic of data breach, earlier this month President Obama announced his proposal for the Personal Data Notification & Protection Act, which would set nationwide rules for data breach notifications and preempt the patchwork of state breach-notification laws.  The White House proposal contains many similarities to bills that already have been introduced, but there are some critical differences.  For example, the bill generally applies to a broader range of categories of personal information than many of the others.  The President’s proposal also contains exceptions for breaches not posing an immediate risk of harm, and for small businesses that do not process large amounts of personal information.

Meanwhile, states continue to enact and strengthen their own data-breach bills.  On the heels of California’s recent changes to its data breach notification statute, New York Attorney General Eric Schneiderman announced this month that he will propose legislation to toughen New York’s data breach notification law.

In a rare push for congressional action in this space, nearly a year ago, Attorney General Eric Holder urged Congress to create a “strong, national standard” for quickly reporting data breaches to consumers.  While such a federal standard has yet to be seen, perhaps the current legislative push, paired with high-profile breaches that are sure to continue, will finally move Congress to act on data security.