Lynch said national companies must determine what their obligations are under different state laws every time a data breach occurs. “It is difficult and challenging for companies to manage different requirements,” he said.
But he emphasized that any national law should focus on protecting data that would have a “significant impact” on the consumer if it were breached.
He identified health records and financial information as particularly sensitive information.
Encrypted data would be useless to hackers, Lynch said, and therefore companies should not be required to notify consumers if it is breached.
A national data breach requirement passed the Commerce, Manufacturing and Trade Subcommittee last week, and it is currently awaiting a vote from the full Energy and Commerce Committee.
Democrats on the House subcommittee voted against the measure because they said it did not do enough to protect private information such as photographs, videos and library records. Republicans argue the bill should focus on protecting financial information from identity theft.
National data security legislation passed the House in 2009 but did not come up for a vote in the Senate.