Earlier today, CompTIA’s own Chief Legal Officer Dan Liutikas testified during the House Subcommittee on Commerce, Manufacturing and Trade hearing titled “Reporting Data Breaches: Is Federal Legislation Needed to Protect Consumers?” Serving on the panel with Liutikas were other distinguished IT policy experts such as Debbie Matties, vice president of privacy for CTIA, Jeff Greene, senior policy counsel, cybersecurity and identity at the Symantec Corporation, Kevin Richards, senior vice president, federal government affairs at TechAmerica, Andrea M. Matwyshyn, assistant professor of legal studies and business ethics, the Wharton School, University of Pennsylvania and David Thaw, visiting assistant professor of law, University of Connecticut School of Law.
Liutikas highlighted the importance of creating a national framework that creates one rule that industry must comply with when companies suffer a data breach of consumer information. Currently, there are over 46 state data breach notifications laws in place, and each state has a different data breach compliance obligation. Liutikas testified that this patchwork of state data breach notification laws creates an undue burden on small- and medium-sized businesses that must expend precious resources to ensure compliance with these often conflicting notice obligations.
The industry representatives on the panel were in agreement on the need for a national framework, but there was no unanimous consensus on how the framework should be implemented. Matwyshyn and Thaw stated that a national framework should serve as a floor that would permit other states to implement more restrictive data breach notification obligations. Some felt that a national framework should also include data security and integrity obligations. However, the industry representatives were unanimous in their belief that a national law must pre-empt state laws. Absent pre-emption, the concern was that any new federal requirements would merely impose a 47th obligation and add to the already bewildering patchwork of DBN laws that exist today.
Two questions were asked. One: Should a national framework contain a trigger for consumer notice based on “possible harm” or “actual harm” to a consumer who has suffered a breach of their personally identifiable information (PII)? Two: How should PII be defined? Matwyshn testified, for example, that PII should include reputational information, such as online purchasing habits.
Finally, the discussion focused on whether companies should be granted a specific number of days to notify a consumer after a data breach. Industry testified unanimously that every breach was different and that notice should be based on a process that allows for companies and law enforcement to complete due diligence on whether and how a breach has occurred. There was a strong sentiment that, both for the sake of the consumer and the business, being first to report was secondary to being right when you report.
In general, there was support from the Subcommittee for a national framework. Chairman Lee Terry said the current patchwork must be changed because compliance costs are adding up too quickly. Ranking Member Jan Schakowsky said any federal law should not weaken strong state laws already in place. Finally, Chairman Emeritus Joe Barton stated that he supported a national framework as a baseline for data breach notification reform.
Overall, this was a positive development for CompTIA. This was the first hearing of the 2013 legislative session focused exclusively on data breach, which allows CompTIA the opportunity to help frame the debate and offer solutions. As a next step, CompTIA will focus its efforts on bringing the industry stakeholders together to develop a policy road map for moving the discussion forward.
Watch video of the hearing here.
