National Data Breach Standard "One Step Closer" To Reality
By Christine Kern, contributing writer
Subcommittee sends Data Security and Breach Notification Act for consideration by full committee.
The Data Security and Breach Notification Act is on its way to the House Energy and Commerce Committee for consideration on April 15, after being approved by voice vote by the subcommittee last week.
“Finding a workable bipartisan compromise that can become law has been elusive,” Commerce, Manufacturing and Trade Subcommittee Chairman Michael Burgess, R-Texas, said. “But I believe that by focusing on how the criminals make their money we can work together and achieve a workable solution for the millions of Americans impacted by identity theft and financial fraud.”
The move comes despite objections from Democratic lawmakers, the Hill reports. Although the bill will likely experience further revisions before it comes before the full committee, the measure is a significant step towards creating a national breach standard.
The measure would require companies to maintain “reasonable” security practices, and inform all potentially affected customers within 30 days of a breach. Violation of the bill would subject companies to enforcement and censure by the Federal Trade Commission (FTC).
One argument from Democrats is that the legislation would eliminate stronger consumer protections at the state level. And Massachusetts Attorney General Maura Healey has stated that the bill would “scale back our state’s essential safeguards against cybercrime.”
Meanwhile, the bill is being supported by the White House as a necessary and important step towards safeguarding consumer information, and a number of major interest groups and companies have called for a single breach notification standard to replace the hodge-podge of state requirements currently in existence.
Two amendments were added to the bill, including a requirement for breached third-party vendors to notify affected consumers, and a requirement for the FTC to provide education for small businesses regarding data security.
“We are one step closer to enactment of an effective and uniform national standard for data breach notification,” NRF Senior Vice President for Government Relations David French said. “In that vein, we are particularly pleased that the Subcommittee approved the amendment offered by Rep. Pompeo, and supported by Rep. Peter Welch, D-Vt., which will close third-party notice holes. Thanks to the Pompeo Amendment, consumers will receive more effective notification about breaches and, most importantly, businesses will be incentivized to enhance their data security practices.
“As we highlighted in our testimony before the Subcommittee last week, the retail industry supports a strong and effective data breach notification law that would enhance consumer protections and provide a uniform data breach notification standard for all businesses and firms handling sensitive customer data with equal or equivalent requirements and obligations.”