Leaders from the Senate Commerce Committee and witnesses at a committee hearing on Wednesday expressed support for a national data breach notification standard aimed at protecting consumers’ personal data from cyberattacks.
“A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm,” Committee Ranking Member John Thune (R-S.D.) said in his opening statement. “Such a standard would also provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses.”
Witnesses at the hearing to examine data protection echoed that sentiment. FTC Chairman Edith Ramirez said the need for legislation establishing a national notification standard has never been greater.
“With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress must act,” Ramirez said.
David Wagner, the president of financial services firm Entrust, said the effort should begin with “harmonizing” breach notification laws.
“The first state-level breach notification law was enacted in California in 2002; today, 46 states have similar laws,” Wagner said. “However, we are still without a common federal approach. Federal harmonization of breach notification laws is a good place to start.”
Only four states—Alabama, Kentucky, New Mexico and South Dakota—do not have state-wide data breach notification laws. New Mexico, however, is considering a bill that would require that individuals affected by a data breach be notified by the organization within 10 days of the incident’s discovery, SC Magazine reports.
Kentucky is also considering a bill that would require businesses and other entities to notify consumers immediately of a cyberattack on personal or financial information, WDRB.com reports.
Sen. Patrick Leahy (D-Vt.) introduced legislation in January that would standardize state data breach notification laws into federal law. The rules would apply to businesses that access, compile or process information on 10,000 or more individuals and would require businesses to notify affected individuals within 60 days of the incident’s discovery.