Holder Calls for National Breach LawAsks Congress to Create Standard to Alert Breach Victims
High-profile breaches, such as those victimizing customers of retailers Target Corp. and Neiman Marcus, have prompted U.S. Atty. Gen. Eric Holder to propose a national breach notification law.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Holder is asking Congress to create a strong national standard for alerting consumers whose information have been compromised following a breach.
"This would empower the American people to protect themselves if they are at risk of identity theft," Holder says in a Feb. 24 video message. "It would enable law enforcement to better investigate these crimes and to hold compromised entities accountable when they fail to keep sensitive information safe."
He says the standard would also provide reasonable exemptions for harmless breaches, "to avoid placing unnecessary burdens on businesses that do act responsibly."
The legislation, Holder says, would strengthen the ability of the Justice Department to combat cybercrime.
"Although Justice Department officials are working closely with the FBI and prosecutors across the country to bring cybercriminals to justice, it is time for leaders in Washington to provide the tools that we need to do even more, by requiring leaders to notify American consumers and law enforcement in the wake of significant data breaches," Holder says.
Breach Notification Law Efforts
This isn't the first time the Obama administration had proposed a national breach notification law. In 2011, as part of Obama's cybersecurity legislative agenda, the administration proposed adoption of a federal data breach notification policy that would supersede the divergent laws in effect in 46 states (see Obama Offers Breach Notification Bill).
Efforts to create a federal requirement for data breach notification have been ongoing in recent years. Just this year, Democratic leaders of the Senate Commerce, Science and Transportation Committee introduced the Data Security and Breach Notification Act of 2014 (see Yet Another Data Breach Bill Introduced). The legislation was introduced Jan. 30 by Committee Chairman Jay Rockefeller, D-W.V.
Standardizing breach notification nationally would mean businesses would only need to comply with one law and not 46 different state laws, which would simplify the notification process.
Most of the breach notification bills unveiled in the past 13 months had been introduced in previous Congresses as well. The challenge facing lawmakers is agreeing on what a federal law should require - for example, which state law should serve as the model for a U.S. law? "Each [special-interest] group has different state laws that they like and don't want to lose anything they have today," says Peter Swire, senior fellow at the Future of Privacy Forum and professor at Georgia Tech's Scheller College of Business.
In January, lawmakers introduced two other bills to create a national standard for breach notification. Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., introduced Jan. 15 the Data Security Act of 2014 (see: Breach Notification Bills Pile Up in Senate). Earlier in the month, Senate Judiciary Chairman Patrick Leahy, D-Vt., introduced the Personal Data Privacy Security Act (see: Why U.S. Breach Notice Bill Won't Pass).
Also, in the current session of Congress, Sen. Pat Toomey, R-Pa., introduced his version of the Data Security and Breach Notification Act to require businesses to take reasonable measures to protect and secure data in electronic form containing personal information and notify law enforcement authorities and consumers if a major breach involving at 10,000 individuals occurred.
The HIPAA Omnibus Rule, enacted last year, updated the HIPAA national breach notification rule for the healthcare sector.