Leahy is sponsoring a leading data breach bill, which would set criminal penalties for those who fail to disclose breaches.
In the aftermath of major hacking attacks at retail giants Target and Neiman Marcus, lawmakers have been searching for a way to move forward on data security legislation and seem to have arrived on one area of limited bipartisan consensus — creating a federal standard requiring companies to disclose data breaches.
But industry representatives and some lawmakers say that won’t be nearly enough to address a growing security threat.
“Breach notification laws can be a useful tool to — potentially — raise awareness about data security issues, incentivize companies to invest in security and empower consumers,” said one financial sector representative who asked not to be named. “But the reality is that notification is after the fact. The key to data security is to prevent breaches in the first place and notification does nothing to prevent breaches except in a very indirect way.”
Justin Brookman, the head of the Project on Consumer Privacy at the Center for Democracy and Technology, said Congress would be taking action on notification years after other levels of government have already acted on it.
“It wouldn’t be enough to address data breaches,” he said. “States have already enacted breach notification. A federal law would just make it easier on everyone by providing one standard.”
If a federal law provides liability protections and other incentives for companies that disclose attacks, it could actually make experiencing a breach cheaper for them, he said. Brookman called on Congress to look at other issues, such as requiring companies to have a reasonable level of security and tell customers what information they’re collecting and retaining.
Virginia Democratic Sen. Mark Warner, chairman of the Banking, Housing and Urban Affairs Subcommittee on National Security, International Trade and Finance, said that notification isn’t the only area where there’s bipartisan agreement; lawmakers are also close to consensus on the idea that debit cards should get the same level of fraud protection as credit cards.
But he said he expects Congress to move, carefully and deliberately, beyond those two areas.
“I’m not sure that breach notification will be sufficient,” Warner said. “I’m not looking to add new regulations without some thoughtfulness. We’re at the tip of the iceberg here.”
The open question is what Congress could do that would go beyond those issues and stand a chance at passing. Several members, notably Massachusetts Democratic Sen. Elizabeth Warren, have talked about giving the Federal Trade Commission increased authority to enforce data security standards, but Republicans see more regulation as a non-starter.