WASHINGTON (1/28/15)--A stable law to ensure merchants are appropriately protecting consumers is needed, said Rep. Gus Bilirakis (R-Fla.) in a subcommittee hearing Tuesday on elements of potential data breach legislation.
The House subcommittee on commerce, manufacturing and trade discussed the specifics of such legislation and heard from a panel of experts on the matter.
Tuesday's hearing is likely to be the first in a series of hearings on creating data breach legislation, and it saw many of the themes that are likely to emerge when creating such a bill.
The members of the subcommittee all agreed at the outset of the hearing that data breach legislation that is universal and includes standards for consumer notification is needed. There are currently 47 different state laws dealing with data breach notification and 12 state laws governing commercial data security.
House Energy and Commerce Chair, Rep. Fred Upton (R-Mich.), said Congress has a real opportunity to set a single national data security standard, which is a key component to combating the effects of data breaches. Rep. Frank Pallone (D-N.J.) said that he would not support any bill that supersedes strong state protections with a "weak federal standard."
Rep. Leonard Lance (R-N.J.) said he wants any forthcoming legislation to avoid becoming a "48th standard," and instead it should serve as the primary standard.
A letter from the Credit Union National Association and other financial trade organizations was accepted into the record.
As previously reported in News Now, the letter outlined several essential characteristics of potential data breach legislation, including national protection and notification standards that pre-empt state laws and recognition of the requirements financial institutions face under the Gramm-Leach-Bliley Act.
Lance asked the witnesses if they thought the standards set forth by the Gramm-Leach-Bliley Act, created 16 years ago, were sufficiently protecting consumers, and the witnesses agreed changes are needed.
Bilirakis said effective legislation would also not likely be tied to specific technologies, such as chip-and-pin payment cards, but the law should focus on meeting the threat. (See related story: Data security legislation among FTC recommendations.)
Three of the four witnesses said that data breach notification should only be required when the exposed information can be used to commit fraud, or other crimes, for fear of consumer fatigue when it comes to notifications of breaches.
The fourth witness, Woodrow Hartzog of Samford's Cumberland School of Law, strenuously disagreed and said it is too difficult to determine how stolen data might be used in the future, and that consumers have the right to know when any of their information has been exposed.
While the others cautioned that consumers would grow weary of getting repeated notices about breached, Hartzog said he did not believe consumers were suffering fatigue when it comes to being notified about data breaches that involve their personal informaton.