The discussion on Capitol Hill around data privacy has pivoted to focus on data security, which arguably has a better chance of resulting in federal legislation. The House Subcommittee on Commerce, Manufacturing and Trade met this morning for a hearing on data breach legislation.
"This committee is calling for action," said Rep. Michael Burgess (R-TX), committee chairman. "Federal legislation should include a single but flexible data security requirement," he said, reiterating industry calls for a blanket national rule to replace the 47 state laws applying to data breach notification. Mr. Burgess, along with other committee members, stressed that data breach notification laws applying to financial services and healthcare industry firms should be separate and dealt with by authorities that directly oversee those industries.
Democratic members of the committee including Rep. Jan Schakowsky of Illinois indicated that they want to ensure a federal law does not weaken the ability of state attorneys general to enforce notification laws. Hearing witness Woodrow Hartzog, associate professor at Cumberland School of Law, said he would like to see minimal pre-emption of state rules and would like the FTC to be given rulemaking authority in association with legislation.
Indeed, whether a federal law pre-empts state rules could be a sticking point in passage of a data breach notification law. Witnesses representing industry warned against establishing a "48th law" and said they want federal data breach rules to be flexible and override state laws applying to breach notification. Acxiom's Chief Privacy Officer Jennifer Barrett-Glasgow said the data services firm wants to ensure data breach notification bills are "clean" and don't include specific rules applying to data brokers. "In the past other issues have crept into data breach bills and this has hurt the chances of [passage]," she said, adding that a federal law should be harm-based and there should be a "reasonable time frame for notification."
Some committee members and witnesses suggested if notification is contingent on whether consumers are harmed by a breach, it could be difficult to define harm.
Data Security for the Internet of Things
A long-awaited report from the Federal Trade Commission on the Internet of Things reaffirmed the agency's "recommendation for Congress to enact strong, flexible and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach."
The President earlier this month announced a handful of data security related initiatives that could become law, including the administration's Personal Data Notification and Protection Act, which promises to help companies handling consumer data by providing a set of rules for data breaches that applies on a national level. "This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard," stated a White House press release.
In its report on the Internet of Things -- or IoT -- the FTC indicated what its evaluation of the rapidly expanding array of devices that gather user data and connect to the Internet, from fitness trackers to vehicle add-ons, would encompass. The result of a workshop held last year on IoT, the report noted "the FTC Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature."
Instead, the agency recommended a series of efforts to safeguard data gathered through IoT products, suggesting developers conduct security risk assessments, minimize data collection and storage, test security measures, and vet security practices of their partners and service providers.