The House Commerce, Manufacturing and Trade Subcommittee held its first hearing of the new Congress on an issue that both sides signaled needs bipartisan legislation: data security and breach notification.
President Obama urged the passage of such legislation in his State of the Union address, and both sides of the aisle on the committee pledged to work with the White House.
Rep. Michael Burgess (R-Texas), the new chairman of the subcommittee, urged a single federal data security law that could supersede 47 different state laws that several witnesses at the hearing said are expensive to comply with, confusing for business and are changing. A single, national standard, he said, would give companies the confidence that their protection measures are sound; put them on notice that if they don’t meet the standard they are subject to federal enforcement; and allow them to spend more money on protecting information and notifying consumers and less on lawyers figuring out how to comply with a patchwork of changing state requirements.
Rep. Frank Pallone (D-N.J.), ranking member of the parent Energy & Commerce Committee, warned against pre-empting strong state data security laws -- those in Massachusetts and California, for example -- in favor of a weak national standard.
That was just one example of the differences that still could divide the committee, their desire for bipartisanship notwithstanding. Another is the question of what should trigger a breach notification -- only breaches that can be determined to threaten immediate harm or all breaches -- and how quickly to inform consumers. Several witnesses said companies needed time to investigate breaches first.
Currently, 47 states have data security laws, and one witness, Elizabeth Hyman from Tech America, said a federal standard should not become simply number 48, but would need to pre-empt the others. She said that standard could be strong, but said notification should be based on actual harm to prevent over-notification or notification fatigue.
Woodrow Hartzog, representing opponents to broad pre-emption, said any pre-emption should be targeted so as not to undo strong state laws and said multiple should enforce the standard, including the Federal Communications Commission, Federal Trade Commission, Federal Aviation Administration and state Attorney General offices. He also said an actual harm standard would be too restrictive given that it is difficult to determine causality. He pointed out that a breach could release data downstream that could be aggregated with other data.
The hearing was held the same day that the FTC released a staff report calling for passage of data breach and security legislation.
Everybody agreed that some kind of legislation was needed, but the devil still looked to be in the details, with Democrats leaning away from broad pre-emption and an actual harm standard, and Republicans leaning in.