Checking In On the Federal Data Breach Notification Law
As we reach the midpoint of 2015, it is a good time to check in on the progress of the Data Breach and Security Notification Act of 2015 that is making its way through Congress. Most privacy experts and data breach practitioners agree that a single nationwide data breach notification statute would be superior to the current state-by-state regime—it would certainly make data breach response much easier and more cost-effective—but there is considerable debate about what that statute should say. Thus far, the bill has remained stagnant in the Senate after being referred to the Senate Commerce, Science and Transportation Committee back in January; but the House version of the bill has made some progress in the Energy and Commerce Committee, where a mark-up session was held and the bill was referred to the Subcommittee on Commerce, Manufacturing and Trade. The amendments considered in committee generally mirrored the overall debate on the statute, with some arguing that the bill would weaken existing state laws pertaining to data breaches while others argued that the current draft of the bill put too much of a burden on businesses because it arguably requires them to notify consumers even if the data is breached when it is in the hands of another company and even if the data was merely accessed, but not actually acquired.
On the whole, the general sentiment has been that “privacy advocates” are worried because they say the federal breach law could actually hurt consumers. But the simple fact that Congress is discussing these issues and contemplating a national framework is a step in the right direction.