Yesterday, a coalition of 44 service and retail industry trade associations sent a letter to congressional leadership, urging the House and Senate to adopt a single data breach notification standard at the federal level. The letter, addressed to the Majority and Minority Leaders of each chamber, states that “a single, federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”
The coalition letter states that any legislation to address data security and data breaches should cover all types of entities that handle sensitive data, and should not provide exemptions for certain business sectors. The letter cites several recent examples of breaches across different sectors, including the JP Morgan and Apple iCloud breaches, as well as one involving a Department of Homeland Security contractor.
Further, in an attempt to recognize companies who suffer data breaches as victims, the letter references several times the theft of financial payment information, noting that “the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse. Better security at the source of the problem is needed.” President Obama recently announced a new initiative aimed at making financial transactions more secure through “chip and pin” technology.
While the letter does call for national regulation of data breach notification, it does include the caveat that “Congress should act to standardize reasonable, timely notification of sensitive data breaches.” Nonetheless, many sectors would now welcome a federal breach notification standard as a less costly alternative to complying with the patchwork of different state laws currently in place.
Congress is unlikely to act on data security and breach notification during the lame duck session; however, given House Republicans’ interest in this issue in past months; we could see a resurgence of data security legislation in the Republican-controlled 114th Congress.