In the first step toward federal data breach legislation, the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing on Tuesday entitled “What are the Elements of Sound Data Breach Legislation?” Testimony was heard by CompTIA, Acxiom, The Retail Industry Leaders Association and the Cumberland School of Law in the first of what we can assume will be many steps to drive toward a single national breach notification requirement.
The subcommittee first heard from Elizabeth Hyman, Executive Vice President of Public Policy at Tech America, powered by CompTIA. Representing over 2200 technology companies, Hyman emphasized the difficulty in having 47 different state laws - no two of which are exactly the same, and many in direct conflict, making it nearly impossible for companies with consumers in more than one state to understand and abide by them all.
Hyman suggested the key components to a federal breach notification law include measures meant to shield consumers from "over-notification" by allowing the clock to only start ticking after a thorough risk assessment has been completed, that way companies know the true risk the consumer faces.
Additionally, she noted that "the key to any federal DBN law will be finding a single standard that maintains the strong consumer protections currently required by the states, but that does not overburden or impose inappropriate penalties on companies who should be focusing on notification and investigation in the wake of a breach."
Next, the subcommittee heard from Jennifer Glasgow, Chief Privacy Officer at Acxiom Corporation, stating that the company spoke before Congress nearly a decade ago regarding the same issue, with lack of action over the years paving the way for the tangled web of confusing state laws that currently exist.
In addition to reiterating Hyman's points, Glasgow also requested that "security requirements should not be legislated with too much specificity," as hackers will continue to get better and "perfect security simply does not exist."
The third witness to testify at the hearing was Brian Dodge, Executive Vice President of Communications and Strategic Initiatives at the Retail Industry Leaders Association (RILA). Dodge put a ton of emphasis and urgency around the need for advanced payment card technology - namely Chip and PIN. According to the Federal Reserve, PINs on debit cards make them 700 percent more secure than transactions authorized by signature, but as we have long discussed here at Rippleshot, it's much more likely that Chip and Signature will be the technology implemented, at least to start.
Dodge also requested that the legislation "increase funding for government sponsored research into next generation security controls and enhance law enforcement capabilities to investigate and prosecute criminals internationally," stating that the "cyber-attacks faced by every sector of our economy constitute a grave national security threat that should be addressed from all angles."
The most interesting piece of Dodge's testimony though, came when he insisted on a requirement for the retailers themselves to be the ones notifying affected customers of the breach, instead of another party closer to the consumers like a bank.
"The obligation to notify and publicly acknowledge a breach creates a clear incentive to enhance a company’s data security," said Dodge. "Directing all notice obligations to entities with first party relationships removes that important incentive."
The last witness to testify in front of the subcommittee was Woodrow Hartzog, Associate Professor at the Cumberland School of Law. Hartzog, speaking from his own personal academic capacity, free of advocating for any specific group, warned of the dangers of a federal breach law.
"There is a real risk that preemptive federal legislation would do more harm than good," said Hartzog. "Our critical data protection infrastructure will be weakened if federal legislation scales back protection, consolidates regulatory authority, and sets specific rules in stone. Data breach law must offer robust protection and be able to evolve quickly."
He countered the opinions of the rest of those who testified by pushing data security legislation, noting that the goal here is to ultimately reduce the number of breach notifications needing to be sent at all. Unfortunately, not all companies who hold consumer data are motivated to protect it, especially if the data doesn't belong to their own customers. While Hartzog acknowledged the difficulty in legislating such a fast-moving and dynamic industry, he did stress the importance of not letting companies set their own risk calculations.
We'll continue to track this conversation as it makes it way through the subcommittee and into the legislative process. To learn more about Rippleshot and how it can help with earlier breach notification, click below to get an in-depth demo.