Lawmakers see momentum for data breach legislation

House lawmakers in both parties at a Tuesday hearing voiced optimism that Congress could pass legislation requiring companies to notify customers about breaches of consumer data.

Efforts to pass such a bill have repeatedly stumbled, but Democrats and Republicans alike said the tide may be turning with voters increasingly focused on cybersecurity. 

“I do sincerely believe that is an achievable goal,” said Rep. Michael BurgessMichael Clifton BurgessOvernight Health Care: House set to vote on bill targeting drug companies for overcharging Medicaid | Dems press Trump officials on pre-existing conditions | Tobacco giant invests .8B in Canadian marijuana grower GOP struggles to find right Republican for Rules Cards Against Humanity offering midterm expansion pack in effort to back Dems in key races MORE (R-Texas), chairman of the House Subcommittee on Commerce, Manufacturing and Trade, which held the hearing. “It’s clear most of us agree on preemption.”


Lawmakers are debating legislation to require breached companies to notify customers within a set time period that their information had been exposed. It would also create nationwide data security standards for companies.

The effort to pass a federal data breach bill has received new momentum following a series of high-profile data breaches at major companies like Home Depot, Target and JPMorgan. The recent cyberattack on Sony Pictures has only brought more attention to the issue.

The White House has also pressed Congress to move on the issue. It recently released its own legislative proposal, which Sen. Bill NelsonClarence (Bill) William NelsonMcCaskill: 'Too many embarrassing uncles' in the Senate Bill Nelson uses farewell address to remind colleagues ‘no one person is above the law’ Coal supporter Manchin named top Dem on Senate Energy Committee MORE (D-Fla.) later introduced. The bill would set a 30-day window for notification, require companies to report certain breaches to the government and empower the Federal Trade Commission to set and enforce federal data security standards.

With 47 different state-based data breach notification bills, many lawmakers and industry groups think creating one federal standard should be Congress’s top 2015 cybersecurity priority. In 2015 alone, seven states have introduced 17 bills related to this issue, said Elizabeth Hyman, executive vice president of Tech America, the public policy wing of tech trade group CompTIA.

Lawmakers must “get it right” on a data breach bill “before we try to tackle some of the other concerns,” said Rep. Fred Upton (R-Mich.), who chairs the full House Committee on Energy and Commerce.

Still, a number of questions remain.

Rep. Peter WelchPeter Francis WelchDeGette dropped from chief deputy whip spot How to reform the federal electric vehicle tax credit Dem overtures to Trump on drug pricing worry pharma MORE (D-Vt.) ticked off a few: How many days should companies get to investigate a breach before they must notify consumers? What type of a breach should trigger a customer notification? Should all sectors be covered by a federal law? Should states retain the power to enforce data breach laws?

“These are more practical issues,” Welch said.

Lawmakers focused many of their questions on which breaches should prompt customer notifications.

Industry groups are worried a federal standard could drive over-notification, where consumers are inundated with messages that their data has been exposed.

“Industry in general is very sensitive to the over-notification problem,” said Jennifer Glasgow, chief privacy officer at data broker Acxiom.

Companies should only have to notify customers if “their information has actually been accessed and only when that information is likely to be used in a harmful manner,” Hyman said.

But Woodrow Hartzog, a data breach law expert at Cumberland School of Law, cautioned that “it can be extremely difficult to meet the burden of proof that harm is actually likely in any one instance.”

“The problem of over-notification is also one that can tend to be overinflated,” said Rep. Jan Schakowsky (D-Ill.), the subcommittee’s ranking member.