Lawmakers see momentum for data breach legislation

House lawmakers in both parties at a Tuesday hearing voiced optimism that Congress could pass legislation requiring companies to notify customers about breaches of consumer data.

Efforts to pass such a bill have repeatedly stumbled, but Democrats and Republicans alike said the tide may be turning with voters increasingly focused on cybersecurity. 

“I do sincerely believe that is an achievable goal,” said Rep. Michael BurgessMichael Clifton BurgessOvernight Health Care: Big Pharma looks to stem losses after trade deal defeat | House panel to examine federal marijuana policies | House GOP reopens investigation into opioid manufacturers Lawmakers express alarm over rise in cocaine overdose deaths Hillicon Valley: House passes anti-robocall bill | Senators inch forward on privacy legislation | Trump escalates fight over tech tax | Illinois families sue TikTok | Senators get classified briefing on ransomware MORE (R-Texas), chairman of the House Subcommittee on Commerce, Manufacturing and Trade, which held the hearing. “It’s clear most of us agree on preemption.”


Lawmakers are debating legislation to require breached companies to notify customers within a set time period that their information had been exposed. It would also create nationwide data security standards for companies.

The effort to pass a federal data breach bill has received new momentum following a series of high-profile data breaches at major companies like Home Depot, Target and JPMorgan. The recent cyberattack on Sony Pictures has only brought more attention to the issue.

The White House has also pressed Congress to move on the issue. It recently released its own legislative proposal, which Sen. Bill NelsonClarence (Bill) William NelsonThe most expensive congressional races of the last decade Lobbying world Bottom Line MORE (D-Fla.) later introduced. The bill would set a 30-day window for notification, require companies to report certain breaches to the government and empower the Federal Trade Commission to set and enforce federal data security standards.

With 47 different state-based data breach notification bills, many lawmakers and industry groups think creating one federal standard should be Congress’s top 2015 cybersecurity priority. In 2015 alone, seven states have introduced 17 bills related to this issue, said Elizabeth Hyman, executive vice president of Tech America, the public policy wing of tech trade group CompTIA.

Lawmakers must “get it right” on a data breach bill “before we try to tackle some of the other concerns,” said Rep. Fred Upton (R-Mich.), who chairs the full House Committee on Energy and Commerce.

Still, a number of questions remain.

Rep. Peter WelchPeter Francis WelchProviding more information on the prescription drug supply chain will help lower costs for all Impeachment hearing breaks into laughter after Democrat contrasts it to Hallmark movie Diplomat ties Trump closer to Ukraine furor MORE (D-Vt.) ticked off a few: How many days should companies get to investigate a breach before they must notify consumers? What type of a breach should trigger a customer notification? Should all sectors be covered by a federal law? Should states retain the power to enforce data breach laws?

“These are more practical issues,” Welch said.

Lawmakers focused many of their questions on which breaches should prompt customer notifications.

Industry groups are worried a federal standard could drive over-notification, where consumers are inundated with messages that their data has been exposed.

“Industry in general is very sensitive to the over-notification problem,” said Jennifer Glasgow, chief privacy officer at data broker Acxiom.

Companies should only have to notify customers if “their information has actually been accessed and only when that information is likely to be used in a harmful manner,” Hyman said.

But Woodrow Hartzog, a data breach law expert at Cumberland School of Law, cautioned that “it can be extremely difficult to meet the burden of proof that harm is actually likely in any one instance.”

“The problem of over-notification is also one that can tend to be overinflated,” said Rep. Jan Schakowsky (D-Ill.), the subcommittee’s ranking member.