This week, the U.S. House of Representatives Subcommittee on Commerce, Manufacturing, and Trade held an oversight hearing entitled “Reporting Data Breaches: Is Federal Legislation Needed to Protect Consumers?” The hearing, which included testimony from members of the technology industry and academia, focused on whether there is a need for a federal law to either supplement or replace the current patchwork of more than 48 state data breach notification laws.
Tech industry representatives from associations including TechAmerica, CompTIA, and CTIA described the burden facing companies after they suffer a data breach and then must quickly assess their obligations based upon the states’ differing definitions of personal information, various event triggers, and numerous notification timeframes. In addition, they stressed that any new federal law should preempt existing state laws rather than simply establish a minimum standard on which state laws would be based. The hearing also included discussion on technical questions relating to a possible federal law, including how to define a data breach, how quickly should breaches be reported, and what obligations do companies have to consumers whose information has been breached.
During the hearing, Subcommittee Chairman Lee Terry (R-NE) expressed an interest in pursuing new legislation on this matter. Notably, during the 111th Congress, Subcommittee member Rep. Bobby Rush (D-Ill) reintroduced the Data Accountability and Trust Act (“DATA”) that would have replaced the various state regimes with a uniform federal notification standard and charged the FTC with enforcement. The bill passed the House, but no action was taken in the Senate.