Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, February 5, 2015

Federal data breach notification law called for at hearing

By J. Preston Carter, J.D., LL.M.

The need for federal action on data security “becomes clearer each day,” according to Sen. Jerry Moran (R-Kan), in opening remarks at the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security hearing entitled, “Getting it Right on Data Breach and Notification Legislation in the 114th Congress.” The purpose of the hearing was to examine the merits of a federal data security standard and the need for a preemptive and uniform federal data breach notification.

Committee Chairman Moran said, “While Congress has developed sector-specific data security requirements for both financial institutions and companies that handle particular types of health information, Congress has been unable to reach a consensus on the development of national data security and data breach notification standards.” As a result, Moran continued, “states have taken on this task by developing their own standards,” resulting in businesses being “subject to a patchwork” of state, district, and territory laws.” He pointed to recent high-profile data breaches, as showing the need for federal action.

Strong national law. Testifying at the hearing, Illinois Attorney General Lisa Madigan called on Congress to “pass legislation that ensures notification of breaches that can harm Americans.” Madigan said, “A weak national law that restricts what most state laws have long provided will not meet Americans’ increasing and rightful expectation that they be informed when their information has been stolen.”

Retain financial sector standards. Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association also called for a national data breach standard. “Bankers are acknowledged leaders in defending against cyber threats,” Johnson said. “Therefore, from the financial services perspective, it is critical that legislation takes a balanced approach that builds upon—but does not duplicate or undermine—what is already in place and highly effective in the financial sector.”

State law compliance burden. Cheri F. McGuire, Vice President, Global Government Affairs & Cybersecurity Policy, Symantec Corporation, said state-specific data breach notification laws create an “enormous compliance burden, particular for smaller companies.” He said Symantec supports a national standard built on three principles:

  1. Data security legislation should apply equally to all.

  2. Implementing pre-breach security measures should be a part of any legislation.

  3. The use of encryption or other security measures that render data unreadable and unusable should be a key element in establishing the threshold for the need for notification.

McGuire said that, although legislation cannot stop breaches from happening, “smart data breach legislation can help businesses and governments respond effectively and efficiently, and empower consumers with accurate and timely information.”

Improving technology solutions. Mallory Duncan, Senior Vice President and General Counsel, National Retail Federation, urged the committee to examine not only what to do after a breach occurs, but to look at why beaches occur. She said, “data is only as secure as the weakest link in the chain of entities that share that data for a multitude of purposes.” Duncan recommended improving technology solutions to better protect consumers in payment transactions. She also said a federal law should: include uniform notice requirements for all businesses that handle sensitive data; expressly preempt state law; and reflect the strong consensus of state laws by removing exemptions and closing “notice holes” that exist in several state laws.

Training cybersecurity workforce. Dr. Ravi Pendse, Chief Information Officer at Brown University, also called for a uniform federal law. According to Pendse, national legislation governing data breaches would have many advantages over existing state laws and reduce the burden that dissimilar state laws place on complying organizations. In addition to laws regarding data breaches, he called on Congress to create incentives for proactive measures to reduce the likelihood of breaches, one of the most important being the development of a trained cybersecurity workforce through education and training.

Notification of harmful breaches. The testimony of Yael Weinman, Vice President for Global Privacy and General Counsel, Information Technology Industry Council, focused on “several of the critical elements” he said Congress should consider in developing a federal data breach notification framework.

  • Consumer notification. Consumers will be best served, Weinman said, if they are notified not about every data breach, but about those that can cause real financial harm so that they can take precautionary actions only when they are in fact necessary.

  • Timing of notification. According to Weinman, mandating that companies notify consumers of a data breach within a prescribed timeframe is counterproductive. He said that sufficient flexibility in timing allows law enforcement to pursue hackers, and ensures that consumers are neither notified with incomplete or inaccurate information nor notified unnecessarily.

  • Federal preemption. A federal law without preemption would simply result in adding another law to the patchwork of state laws, Weinman said.

He concluded by stating that, while 2014 has been referred to as the “year of the breach,” he hopes 2015 becomes known as the “year of a federal data breach notification law.”

Companies: American Bankers Association; Information Technology Industry Council; National Retail Federation; Symantec Corporation;

MainStory: TopStory BankingOperations CreditDebitGiftCards CrimesOffenses IdentityTheft Privacy

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.