Lawmakers see momentum for data breach legislation

House lawmakers in both parties at a Tuesday hearing voiced optimism that Congress could pass legislation requiring companies to notify customers about breaches of consumer data.

Efforts to pass such a bill have repeatedly stumbled, but Democrats and Republicans alike said the tide may be turning with voters increasingly focused on cybersecurity. 

“I do sincerely believe that is an achievable goal,” said Rep. Michael BurgessMichael Clifton BurgessOvernight Health Care: Trump officials move to expand non-ObamaCare plans | GOP fails to block DC individual mandate | Ebola returns to Congo Republican chairman wants FTC to review mergers of drug price negotiators Overnight Health Care: Official defends suspending insurer payments | What Kavanaugh's nomination means for ObamaCare | Panel approves bill to halt employer mandate MORE (R-Texas), chairman of the House Subcommittee on Commerce, Manufacturing and Trade, which held the hearing. “It’s clear most of us agree on preemption.”

Lawmakers are debating legislation to require breached companies to notify customers within a set time period that their information had been exposed. It would also create nationwide data security standards for companies.

The effort to pass a federal data breach bill has received new momentum following a series of high-profile data breaches at major companies like Home Depot, Target and JPMorgan. The recent cyberattack on Sony Pictures has only brought more attention to the issue.

The White House has also pressed Congress to move on the issue. It recently released its own legislative proposal, which Sen. Bill NelsonClarence (Bill) William NelsonElection Countdown: GOP worries House majority endangered by top of ticket | Dems make history in Tuesday's primaries | Parties fight for Puerto Rican vote in Florida | GOP lawmakers plan 'Freedom Tour' Google releases archive of online political ads The Hill's Morning Report — GOP seeks to hold Trump’s gains in Midwest states MORE (D-Fla.) later introduced. The bill would set a 30-day window for notification, require companies to report certain breaches to the government and empower the Federal Trade Commission to set and enforce federal data security standards.

With 47 different state-based data breach notification bills, many lawmakers and industry groups think creating one federal standard should be Congress’s top 2015 cybersecurity priority. In 2015 alone, seven states have introduced 17 bills related to this issue, said Elizabeth Hyman, executive vice president of Tech America, the public policy wing of tech trade group CompTIA.

Lawmakers must “get it right” on a data breach bill “before we try to tackle some of the other concerns,” said Rep. Fred Upton (R-Mich.), who chairs the full House Committee on Energy and Commerce.

Still, a number of questions remain.

Rep. Peter WelchPeter Francis WelchOne Vermont Republican wins statewide nomination in six races Live results: Wisconsin, Minnesota, Vermont, Connecticut hold primaries Overnight Health Care: Trump officials approve proposals to shore up ObamaCare | Study says 'Medicare for All' would cost .6T over 10 years | Dems court conservative Republican in drug pricing fight MORE (D-Vt.) ticked off a few: How many days should companies get to investigate a breach before they must notify consumers? What type of a breach should trigger a customer notification? Should all sectors be covered by a federal law? Should states retain the power to enforce data breach laws?

“These are more practical issues,” Welch said.

Lawmakers focused many of their questions on which breaches should prompt customer notifications.

Industry groups are worried a federal standard could drive over-notification, where consumers are inundated with messages that their data has been exposed.

“Industry in general is very sensitive to the over-notification problem,” said Jennifer Glasgow, chief privacy officer at data broker Acxiom.

Companies should only have to notify customers if “their information has actually been accessed and only when that information is likely to be used in a harmful manner,” Hyman said.

But Woodrow Hartzog, a data breach law expert at Cumberland School of Law, cautioned that “it can be extremely difficult to meet the burden of proof that harm is actually likely in any one instance.”

“The problem of over-notification is also one that can tend to be overinflated,” said Rep. Jan Schakowsky (D-Ill.), the subcommittee’s ranking member.