The Electronic Transactions Association told lawmakers on Thursday that while the organization supports a federal data breach notification standard, nationwide notification should be limited to breaches that pose a substantial risk to consumers.
In a letter dated May 22, the ETA pointed to different data breach notification laws across 47 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands.
The ETA said a federal standard is necessary to address the patchwork of laws across various jurisdictions, but added that federal notification should only be required if the breach “poses a significant risk of identity theft or other economic harm.”
“We remain concerned that an overly-inclusive trigger would cause consumers to be burdened with unnecessary notifications that could ultimately lead to consumer complacence when a truly actionable breach occurs,” the ETA said. “Similarly, a too broadly-drawn definition of sensitive personally identifiable information—one that captures non-sensitive data elements such as consumer information one might find in a printed or online telephone directory—could unnecessarily trigger notice when no real threat of identity theft or fraud exist[s]. A balanced bill would also exclude public records and information derived from public records from its scope.”
The ETA also said that while businesses should notify consumers “without reasonable delay,” ongoing investigations that often involve law enforcement may be compromised by premature notification.
“As we have learned from several recent data breaches, businesses are best equipped to protect and notify consumers when they are provided sufficient time to gather the facts, secure their systems and work with law enforcement before prematurely notifying the public,” the ETA said. “Given the complexities of both data breach response and notification—often layered with the added complication of an ongoing criminal investigation—we believe that a federal notification standard should not allow for a private right of action. Similarly, we do not believe that the Federal Trade Commission should be granted additional civil penalty authority in this area.”