Following one of our nation’s most difficult years in terms of cybersecurity, both parties in the House of Representatives have expressed optimism in passing data breach legislation that would require companies to notify consumers when their information has been compromised in a cyberattack.
For years, attempts to pass similar bills have been met with apathy, but after a hearing that took place this week, both sides of the political spectrum appear to be on the same page when it comes to the importance of cybersecurity.
“I do sincerely believe that is an achievable goal,” Rep. Michael Burgess (R-Texas), chairman of the House Subcommittee on Commerce, Manufacturing and Trade, which held the hearing, said. “It’s clear most of us agree on preemption.”
According to The Hill, lawmakers are considering a law that not only requires companies to notify consumers in light of a data breach, but contact them within a certain time period after their personal information had been compromised. High-profile data breaches, such as with Target, Home Depot and Sony Pictures, have contributed to the momentum to pass a federal data breach bill.
The White House has also voiced concern to Congress about the lack of laws protecting consumers’ personal and financial information during a cyberattack. If lawmakers manage to pass this cybersecurity legislation, federal data security standards would likely be set and enforced by the Federal Trade Commission (FTC).
As many as 47 state-based data breach notification bills have floated to the attention of lawmakers and industry groups across the country. Elizabeth Hyman, executive vice president of Tech America, says that 17 bills have been introduced by seven states in 2015 alone. Needless to say, lawmakers will be required to take an in-depth look at cybersecurity as a whole in order to figure out how to best protect the consumer in the inevitable data breaches to come.
Some industry groups are claiming that a federal standard may cause consumers to become “overnotified,” causing consumers affected by a data breach to be overwhelmed with messages.
“Industry in general is very sensitive to the over-notification problem,” said chief privacy officer Jennifer Glasgow for data broker Acxiom.
Hyman also suggests customers should only be notified if “their information has actually been accessed and only when that information is likely to be used in a harmful manner.”
However, data breach law expert Woodrow Hartzog from the Cumberland School of Law warned that “it can be extremely difficult to meet the burden of proof that harm is actually likely in any one instance.”
In response to woes regarding over-notification, Rep. Jan Schakowsky (D-Ill.), the subcommittee’s ranking member, said, “The problem of over-notification is also one that can tend to be overinflated,” in regards to the pending data breach legislation.