Data breach notification is as American as apple pie. That's why 46 states have enacted data breach notification laws.
But those state laws vary widely. And just as the states can't agree on what should be in a notification law, Congress also has shown no signs of reaching a consensus on a national approach.
Because of the conflicts of the parties, it is difficult to come up with a uniform statute that adequately addresses all the concerns.
That hasn't deterred the chairman of the Senate Judiciary Committee, Patrick Leahy of Vermont, from trying yet again. Every Congress since 2005, Leahy has introduced the Personal Data Privacy and Security Act, and this past week he introduced the bill again.
Leahy's bill would require a business or federal agency to give notice to individuals whose sensitive personally identifiable information has been compromised within 60 days of the discovery of a data security breach. Notification could be delayed if the Secret Service or FBI determine that such notices would impede a criminal investigation.
The federal Health Insurance Portability and Accountability Act requires notification of health data breaches within 60 days. But there's no federal law spelling out notification requirements in other sectors. And that's why most states stepped in with their own laws.
The timing of the introduction of the latest version of the Personal Data Privacy and Security Act coincides with the increasing fallout from the breach of the retailer Target (see Target Breach: 70 Million Affected).
"The recent data breach at Target ... is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our nation," Leahy said in a statement. "This important issue will also be the focus of a hearing before the Judiciary Committee this year."
One of the problems with getting a data breach notification law, or, for that matter, other cybersecurity bills enacted is that there are just too many congressional committees claiming jurisdiction over this legislation, says Peter Swire, senior fellow at the Future of Privacy Forum and professor at Georgia Tech's Scheller College of Business. "The path to legislation is complicated," he says
A data breach bill introduced by Sen. Pat Toomey, R-Pa., in June was referred to the Committee on Commerce, Science and Transportation. But the Senate Banking, Housing and Urban Development Committee's Subcommittee on Financial Institutions and Consumer Protection provides oversight on e-commerce and could lay claim to jurisdiction over data breach notification.
Unwillingness to Compromise
Another problem is that the 46 state laws have different triggers for breach notification. Some laws require notification by the mere fact of a breach; other laws say that there must be evidence that financial harm was caused by the breach before notification is required.
"Each [special-interest] group has different state laws that they like and don't want to lose anything they have today," Swire says.
Consumer advocates seek laws requiring quick notification to allow individual breach victims to make informed decisions to protect their finances and personal identities, says Eugene Spafford, founder of the Center for Education and Research in Information Assurance and Security at Purdue University. But Spafford says it's not always clear that quick notification is useful to consumers because the nature of the breach and the consequences may not yet be fully understood.
"Companies experiencing breaches seek to minimize cost," he says. "Sometimes, breaches have no direct cost to consumers because the data is properly encrypted or segregated, so disclosure serves no useful purpose other than to shame the vendor. In other cases, the vendor may feel forced by disclosure to take expensive and (perhaps) unnecessary measures, such as paying for credit monitoring."
Privacy and data security lawyer Scott Vernick of the law firm Fox Rothschild says that virtually every lawmaker would say they believe in the need for a national data breach law, but such support doesn't assure passage.
"How are we supposed to get it done?" Vernick asks. "They can't get their act together on the basic monetary fiscal policy, which is way more important, or extending unemployment benefits. Congress can't frankly get their act together on the important issues, let alone something like this, which would be terrific."
Compromise these days doesn't seem to be in the vocabulary of many lawmakers, as we've seen in the failure of Congress to enact significant cybersecurity legislation in recent years. And that's despite most senators and representatives agreeing on the vast majority of the provisions found in various IT security bills.
But the disagreements over those bills - such as how to define privacy and liability protections in information sharing legislation - have prevented such bills from becoming law (see House Handily Passes CISPA). Many lawmakers hold strong ideological beliefs that they feel compromise would erode, including those dealing with data breach notification.
"Because of the conflicts of the parties," Spafford says, "it is difficult to come up with a uniform statute that adequately addresses all the concerns."
A national data breach notification law is generally seen as an improvement over individual state laws, at least to businesses that find it a big challenge to adhere to 46 different state procedures.
Would a relatively weak federal law be better than no federal requirements at all? I guess it depends on the ingredients. I like my apple pie without raisins. How about you?