In the wake of high-profile data breaches at Target and Neiman Marcus, among others, Congress held three hearings on data security and data breaches last week. The first, held by the Senate Banking, Housing and Urban Affairs Committee, dealt with specific financial sector issues related to data breaches, but the Senate Judiciary Committee and House Energy and Commerce Committee hearings looked at data security and data breaches from a number of different angles. Following the hearings, there is some optimism that Congress could finally pass a law implementing a national data breach notification standard, which would be a huge win for SMBs.
The latter two hearings featured executives from both Target and Neiman Marcus as witnesses, so both hearings initially leaned towards particular issues with retail point-of-sale data breaches. The focus seemed to be a push towards replacing our current magnetic strip credit and debit cards with more secure chip and PIN cards currently used all over Europe. But both hearings quickly moved on to broader data security issues, albeit with different tones set by opening statements. The Senate Judiciary hearing looked at things primarily from the perspective of protecting the consumer, while House subcommittee Chairman Lee Terry (R.-Ne.) reminded us that the companies who’ve been hacked are victims too.
It quickly became clear that there was nothing close to a consensus on the issue of federally mandated data security standards. Every stakeholder, regulator, congressman and senator in the room had a different idea of what such a law should look like or if such a law should even exist at all. But there seemed to be some consensus that there is a need for a federal data breach notification law. Republicans (Terry) and Democrats (Sen. Dianne Feinstein (D-Calif.), Rep. Henry Waxman (D-Calif.) alike called for the passage of such a law, as did FTC Chairwoman Edith Ramirez.
A number of data security bills have been introduced in the Senate over the last few months. All of them deal with both data security and data breach notification differently. Given the lack of agreement on what a data security law should look, these bills could meet the same fate as data security bills of Congress past and quietly fade out of existence.
In the House, however, we are likely to see two bills focusing solely on data breach notification laws introduced in the near future – one from the Judiciary Committee, the other from Energy and Commerce. It is possible that those House bills could have enough in common with the data breach notification sections of some of the Senate bills that the two sides could move toward a conference to try and hash out their differences. Still, it is unclear whether the Senate will be willing to yield and separate the data breach notification and data security provisions into two different pieces of legislation.
CompTIA hopes that since both Congress and stakeholders alike agree that there’s a need for a federal data breach notification standard, it will be acceptable to achieve the possible and move forward on a federal standard long overdue. The timing seems right for such an outcome.