Congress has debated proposals for years to enact a federal data breach law which would require companies to notify consumers if their information is stolen. That effort never got very far because lawmakers couldn’t agree on specifics.
Recent large-scale data breaches at Target Corp. and other retailers have reignited congressional interest. Three congressional hearings are scheduled for this week, including a panel on Tuesday which will feature testimony from executives at Target and Neiman Marcus about recent hacking incidents. A similar House hearing is scheduled for Wednesday.
It’s not clear that Congress will pass data breach laws this year, but pressure to do something appears to grow with each new retail data theft. While Michaels Stores and Neiman Marcus have also reported customer data thefts, Target’s massive breach appears to be driving current congressional interest in finally enacting some sort of national law.
In December, Target disclosed that hackers had collected credit card or other data of up to 70 million customers during the holiday shopping season.
There is no national standard for notifying consumers if their data has been stolen. There are some federal industry-specific standards for things such as consumer health records and children’s websites, but there’s no broader law that covers the sort of retail store data theft that has left millions of Americans concerned about the safety of their credit and debit cards.
California enacted a data breach law twelve years ago, which has been widely copied by other states that have adopted similar rules. Forty-six states currently require at least some sort of consumer notification of the theft of private information. Fourteen states have gone further to enact stricter laws that require additional notification or possible penalties for those responsible for data breaches.
(The four states with no security breach law are Alabama, Kentucky, New Mexico and South Dakota.)
Retailers and other industry groups would love to see the current patchwork of state laws replaced with a national federal data standard. But companies and privacy advocates haven’t been able to agree on what privacy standards should be. Disagreements also remain about how to define a data breach, who pays for the damage and when companies would have to inform consumers and law enforcement agencies.
Lawmakers have already dusted off several previously released legislative proposals for helping better protect or inform consumers of data breaches.
Last month, Senate Judiciary Committee chairman Patrick Leahy of Vermont reintroduced a data breach bill that would set a national standard for notifying consumers about breaches and allow for criminal penalties for concealing breach information.
Republican Senator Roy Blunt of Missouri and Democratic Senate Tom Carper of Delaware proposed similar legislation to institute a national data breach standard.
“Recent massive data breaches at Target and Neiman Marcus have put the personal information of tens of millions of Americans at risk,” said Senator Dianne Feinstein (D., Calif.) in a statement last week while releasing another proposed bill with three other Democratic senators. “This is a real and growing problem.”
The Feinstein bill, which was co-authored by Senate Commerce Committee chairman Jay Rockefeller (D., W.V.) and two other Democratic senators, would establish federal data security and notification standards and make it possible to impose criminal penalties for concealing a breach. The lawmakers have proposed similar legislation twice before.