U.S. Attorney General Eric Holder wants a national law governing how companies handle data security breaches, and industry is on board.
The Justice Department is taking an aggressive approach to investigating recent data breaches, including Target's massive consumer information spill announced in December, said Mr. Holder yesterday.
Now, he wants Congress to take action. "It is time for leaders in Washington to provide the tools that we need to do even more by requiring businesses to notify American consumers and law enforcement in the wake of significant data breaches," he said during a video address.
While industry often fights legislation calling for stricter privacy controls over use of data by marketers, in this case, industry representatives are gung ho.
"We have been supportive of a federal preemptive data breach law for the last 10 years. There have been several bills introduced in this time frame, but none have passed, mainly because there were other provisions included in these bills that were not related to breaches and were controversial," said Jennifer Barrett-Glasgow, chief privacy officer for data giant Acxiom. "We are hopeful that this year we may finally get a strong and workable national standard."
What firms like Acxiom are looking for here is a federal rule to override an array of state laws.
The Direct Marketing Association said the same.
"DMA supports a clear and uniform national data-breach notification standard that eliminates the patchwork of disparate state laws that currently exists," said Peggy Renken Hudson, senior VP- government affairs for the trade group. "DMA believes a single national standard will succeed in the aim of addressing identity theft without adversely affecting the flow of information vital to the U.S. economy."
Ms. Barrett-Glasgow cautioned against requiring companies to notify consumers and law enforcement of a breach within a specific window of time. "No two breaches are alike and establishing fixed timeframes for notification, like we have seen in several drafts, can be problematic," she said.
The highly-publicized Target data breach and a subsequent security gap at Neiman Marcus inspired introduction and re-introduction of a handful of data security and privacy bills this year, whose sponsors are primarily Democrats:
- Personal Data Privacy and Security Act, Sponsored by Senator Patrick Leahy, D-Vt.
- Data Security Act of 2014, Sponsored by Senators Roy Blunt, R-Mo., and Tom Carper, D-Del.
- The Data Security and Breach Notification Act, Sponsored by Senators Dianne Feinstein, D-Calif., John Rockefeller, D-W.V., Mark Pryor, D-Ark., and Bill Nelson, D-Fla.
- Personal Data Protection and Breach Accountability Act, Sponsored by Senators Richard Blumenthal, D-Conn., and Ed Markey, D-Mass.
At this stage, it remains unclear which piece of legislation has legs, but with an Apple security hole revealed today, expect a steady data security drumbeat in Congress.