Leahy is sponsoring a leading data breach bill, which would set criminal penalties for those who fail to disclose breaches.
Congress would now also be working against the backdrop of a variety of notification laws adopted by 47 states and the District of Columbia. A federal law would almost certainly pre-empt those statutes, and Brookman said Congress therefore would have to take care in coming up with its language.
“If it’s a weak law, it would actually supersede some of the better state laws out there,” he said.
Still, House and Senate aides say if Congress is able to move any data breach legislation this year, notification is the most likely area for progress, whether on its own, as an amendment or as part of a larger package.
Warner said that, unlike many regulatory proposals, breach notification has an obvious appeal to industry, as it could actually save companies money.
“I think industry realizes the problem of the free rider,” he said. “What happens if you do security, but someone doesn’t, and you don’t know about it, and you become vulnerable?”
But the problem with focusing on notification, according to industry watchers, is that while it can have some positive effects, including allowing consumers to respond more quickly when their accounts are compromised and possibly tipping companies to a hacking threat that hasn’t yet hit them, it doesn’t otherwise have much preventive value.
“I’m torn about that,” Vanderhoof said. “Because it’s really trying to deal with damages after the fact rather than stopping breaches from happening.”
Another problem financial and technology sector groups see with breach notification is the fear that Congress might be declaring a symbolic victory about a battle it should long ago have settled.
“Congress may enact a federal breach notification law because members want to demonstrate some progress on the issue of data security and breach notification is currently one of the few areas of consensus,” said the finance industry representative. “Of course, consensus in Congress could grow beyond breach notification if more breaches are made public.”
Sen. Dianne Feinstein, D-Calif., floated a notification proposal as long ago as 2003. Lawmakers seemed close to reaching agreement on a bill in the last session, but those negotiations collapsed.
In the fast-moving world of digital threats, the pace of congressional debate seems especially slow. Warner said that slow speed could mean that Congress will eventually act on something more comprehensive.
“Even if we just start with notification, that takes us so long that by the time we’re done we might have come up with something else,” he said.