In his sixth State of the Union Address to Congress, President Obama again called on Congress to strengthen the nation’s cybersecurity laws and enact a federal standard for data security and breach notification. Speaking before a joint session of Congress, the president stated that “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families.” His remarks follow a week-long focus on cybersecurity and data security, including the release of several legislative proposals which he urged Congress to adopt.
It appears that Congress is also moving quickly to address the issue. In the House, Dr. Michael Burgess (R-TX), chairman of the Energy & Commerce Subcommittee on Commerce, Manufacturing and Trade, has scheduled a hearing on breach notification legislation on January 27, 2015. The hearing, entitled “What are the Elements of Sound Data Breach Legislation?” is the first step in crafting a breach notification bill in the House, which Chairman Burgess states will be a top priority for his subcommittee. Noting the president’s action on this issue, Burgess stated that “I am encouraged by the president’s recent focus on this issue and call for a national standard, and I agree. Working toward a federal data breach solution is a top priority for our new Congress.”
In the Senate, Sen. Bill Nelson (D-FL) has introduced his own breach notification bill (S. 177) that would require companies, under most circumstances, to notify consumers of data breaches within 30 days. It also would direct the Federal Trade Commission (FTC) to develop security standards to help businesses protect consumers’ personal and financial data. Additionally, the legislation would provide incentives to businesses who adopt new technologies to make consumer data unusable or unreadable if stolen during a breach. Sen. Nelson’s bill is very similar to the proposal put forward by the White House.
Whether or not Congress can ultimately pass such legislation still remains uncertain; however, it is possible that breach notification legislation could provide a starting point for a renewed sense of bi-partisan effort that President Obama called for in his address. On the other hand, differences are starting to emerge with respect to liability protections for the sharing of cyber threat information, which could again stall the momentum of any comprehensive cybersecurity legislation.