Data Security Needs National Standards, Panelists Tell House Subcommittee

In the wake of breaches that have compromised the data of millions of Americans and companies as far-flung as Equifax and Uber, industry observers and participants told a House subcommittee on Wednesday that data security should be standardized at a national level.

A national data standard would supersede the current fragmentation that exists via a multitude of state laws, added those who testified before the House Financial Institutions and Consumer Credit subcommittee.

As might be expected, some testimony before the subcommittee mentioned the Equifax breach, where information was pilfered from more than 145 million Americans, with data ranging from Social Security numbers to addresses stolen by hackers.

In testimony before the subcommittee, Marc Rotenberg, who serves as president of the Electronic Privacy Information Center, said the recent experience with Equifax demonstrates the need for prompt breach notification, adding tha,t “As long as that software was not updated, the breach was ongoing.”

At present, notification of breaches and other aspects of data security procedures and standards has been governed by the states. As described by one panelist, Aaron Cooper, VP of Global Policy with BSA | the Software Alliance, that fragmented governance structure sprang up in 2003 after California was the first state to enact legislation governing data breaches. More than 50 states and territories consequently enacted their own, with varying legislative initiatives governing breaches. The result has been a “patchwork” of laws, Cooper said in testimony given to the subcommittee.

Separately, Nathan Taylor, partner with Morrison & Foerster, said a national standard should be adopted, with common procedures in place to govern enterprises that deal with sensitive consumer data.

Taylor’s own suggestions provided to the subcommittee said any federal initiative should include strong, yet flexible and scalable, data protection standards. In his testimony, Taylor said a federal bill should, among things, require notification to consumers in the event they are put at risk of harm. Federal legislation should also preempt state laws.

“When you review the current landscape of state laws, you find a complex matrix of inconsistent, sometimes duplicative and often contradictory requirements,” he told the subcommittee.

Rotenberg voiced that countries outside the U.S. are concerned about the absence of adequate privacy protection for the personal data collected by firms in the United States.

“There is a real risk that over the next year, privacy officials in Europe will move to limit the flow of personal information to the United States unless appropriate legal safeguards are established,” he said in testimony.

Panelists noted that within the EU, and beginning in May, consumers living there have the right to be notified within 72 hours of a breach. They also have the right to demand that companies erase their personal data, which is known as a “right to be forgotten.” Such standards should be considered for the United States, said those who testified to the subcommittee.

During discussion with lawmakers, Maxine Waters, a Democrat from California, stated that a national standard might represent a “race to the bottom,” even as some states have higher standards that might be matched by a national one.